CVE-2025-66723

HIGH

inMusic Brands Engine DJ <4.3.4 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-66723. PoCs published by audiopump.

AI-analyzed exploit summary CVE-2025-66723 describes an arbitrary file read vulnerability in inMusic Brands Engine DJ software due to unauthenticated access to an embedded HTTP server on port 50020. Attackers can exfiltrate local or network-accessible files by crafting HTTP requests with filesystem paths.

Description

inMusic Brands Engine DJ before 4.3.4 suffers from Insecure Permissions due to exposed HTTP service in the Remote Library, which allows attackers to access all files and network paths.

Exploits (1)

nomisec WRITEUP

by audiopump · poc

https://github.com/audiopump/cve-2025-66723

View Code ZIP pw:eip

CVE-2025-66723 describes an arbitrary file read vulnerability in inMusic Brands Engine DJ software due to unauthenticated access to an embedded HTTP server on port 50020. Attackers can exfiltrate local or network-accessible files by crafting HTTP requests with filesystem paths.

Classification

Writeup 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: inMusic Brands Engine DJ >=3.0.0, <4.3.4

No auth needed

Prerequisites: Network access to the affected host · Knowledge of target file paths

MITRE ATT&CK

T1005 - Data from Local System T1040 - Network Sniffing

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory

https://github.com/audiopump/cve-2025-66723

Product

https://www.inmusicbrands.com/

Scores

CVSS v3 7.5

EPSS 0.0038

EPSS Percentile 29.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-732

Status published

Products (1)

inmusicbrands/engine_dj_desktop 3.0.0 - 4.3.4

Published Dec 30, 2025

Tracked Since Feb 18, 2026