CVE-2025-66955

MEDIUM

Asseco SEE Live 2.0 - Path Traversal

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-66955. PoCs published by TheWoodenBench.

AI-analyzed exploit summary The repository provides a detailed technical analysis of CVE-2025-66955, a Local File Inclusion vulnerability in Asseco SEE Live 2.0. It includes HTTP request examples demonstrating how the 'path' parameter in the 'downloadAttachment' and 'downloadAttachmentFromPath' API calls can be exploited to access arbitrary files on the host.

Description

Local File Inclusion in Contact Plan, E-Mail, SMS and Fax components in Asseco SEE Live 2.0 allows remote authenticated users to access files on the host via "path" parameter in the downloadAttachment and downloadAttachmentFromPath API calls.

Exploits (1)

nomisec WRITEUP
by TheWoodenBench · poc
https://github.com/TheWoodenBench/CVE-2025-66955

The repository provides a detailed technical analysis of CVE-2025-66955, a Local File Inclusion vulnerability in Asseco SEE Live 2.0. It includes HTTP request examples demonstrating how the 'path' parameter in the 'downloadAttachment' and 'downloadAttachmentFromPath' API calls can be exploited to access arbitrary files on the host.

Classification
Writeup 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Asseco SEE Live 2.0
Auth required
Prerequisites: authenticated access to the target system
devstral-2 · analyzed May 04, 2026 Full analysis →

References (4)

Core 4
Core References
Various Sources
http://asseco.com
Various Sources
http://live.com
Various Sources
https://live.asee.io/

Scores

CVSS v3 6.5
EPSS 0.0031
EPSS Percentile 22.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-552
Status published
Products (1)
asseco/live 2.0
Published Mar 12, 2026
Tracked Since Mar 13, 2026