{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-66956", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-13T15:10:17.209Z", "dateReserved": "2025-12-08T00:00:00.000Z", "datePublished": "2026-03-11T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-13T15:10:17.209Z"}, "descriptions": [{"lang": "en", "value": "Insecure Access Control in Contact Plan, E-Mail, SMS and Fax components in Asseco SEE Live 2.0 allows remote attackers to access and execute attachments via a computable URL."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "http://asseco.com"}, {"url": "https://github.com/TheWoodenBench/CVE-2025-66956"}, {"url": "https://live.asee.io/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "CWE-284 Improper Access Control"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T20:30:17.032457Z", "id": "CVE-2025-66956", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T20:30:53.676Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-66956", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-11T20:30:17.032457Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T20:29:10.200Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "http://asseco.com"}, {"url": "https://github.com/TheWoodenBench/CVE-2025-66956"}, {"url": "https://live.asee.io/"}], "descriptions": [{"lang": "en", "value": "Insecure Access Control in Contact Plan, E-Mail, SMS and Fax components in Asseco SEE Live 2.0 allows remote attackers to access and execute attachments via a computable URL."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-13T15:10:17.209Z"}}}, "cveMetadata": {"cveId": "CVE-2025-66956", "state": "PUBLISHED", "dateUpdated": "2026-03-13T15:10:17.209Z", "dateReserved": "2025-12-08T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-11T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Insecure Access Control in Contact Plan, E-Mail, SMS and Fax components in Asseco SEE Live 2.0 allows remote attackers to access and execute attachments via a computable URL."}, {"lang": "es", "value": "Control de acceso inseguro en los componentes de Plan de Contacto, Correo Electr\u00f3nico, SMS y Fax en Asseco SEE Live 2.0 permite a atacantes remotos acceder y ejecutar archivos adjuntos a trav\u00e9s de una URL computable."}], "id": "CVE-2025-66956", "lastModified": "2026-04-27T19:18:46.690", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-11T21:16:13.037", "references": [{"source": "cve@mitre.org", "url": "http://asseco.com"}, {"source": "cve@mitre.org", "url": "https://github.com/TheWoodenBench/CVE-2025-66956"}, {"source": "cve@mitre.org", "url": "https://live.asee.io/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "see_live", "vendor": "asseco"}], "analysis": {"en": {"generated_at": "2026-03-17T15:05:05.939484+00:00", "value": {"mitigation_remediation": ["Verify whether your infrastructure runs Asseco SEE Live 2.0 and confirm the presence of components Contact Plan, E\u2011Mail, SMS and Fax.", "Check Asseco\u2019s support or security portal for a patch or update addressing the access\u2011control flaw.", "Apply the approved patch or upgrade to a later release as soon as it becomes available.", "If a patch is not yet available, block external access to the URL patterns that expose attachments, or place the affected services behind a firewall or proxy that requires authentication before allowing URL access.", "Monitor logs for suspicious attachment download activity and consider disabling or restricting the attachment feature until a fix is applied."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access / Remote Execution"}, "threat_synthesis": {"affected_systems": "The affected product is Asseco SEE Live 2.0. Vulnerable components include Contact Plan, E\u2011Mail, SMS and Fax. No granular versioning is provided, but the issue applies to the 2.0 release line. No vendor\u2011specific product mapping or patch version is available in the data.", "description_and_impact": "This vulnerability is an insecure access control flaw in the Contact Plan, E\u2011Mail, SMS and Fax components of Asseco SEE Live 2.0. A remote attacker who can guess or compute the attachment URL can download and execute attachments without authentication. This grants the attacker potential read access to sensitive information or the ability to execute arbitrary code if the attachment content can be abused. The weakness is listed as CWE\u2011284 \u2013 Failure to Restrict the Use of One or More Privileges.", "risk_and_exploitability": "The CVSS base score is 9.9, indicating critical severity. EPSS is below 1\u202f%, suggesting exploitation likelihood is low at present. It is not listed in the CISA KEV catalog. Attackers can exploit this remotely by constructing a valid URL to the attachment; authentication is not required. The vulnerability does not require local privilege escalation, so attack may be achievable from external network connections."}}}}, "created": "2026-03-12T10:06:41.751932+00:00", "title": "Insecure Access Control in Asseco SEE Live 2.0 \u2013 Remote Retrieval and Execution of Attachments", "updated": "2026-03-20T14:33:54.603424+00:00", "vendors": ["asseco", "asseco$PRODUCT$see_live"]}