CVE-2025-26138 – Systemic Risk Value versions up to 2.8.0 have a... (How to Fix)

Q: How do I fix CVE-2025-26138?

No official patch available. Upgrade to version >2.8.0 if available, otherwise implement workarounds.

Q: What is the severity of CVE-2025-26138?

CVE-2025-26138 has a CVSS score of 6.5 (MEDIUM). Systemic Risk Value versions up to 2.8.0 have an improper access control vulnerability in the file download endpoint. Attackers can access unauthorized files by manipulating predictable numerical IDs in the URL parameter. This affects all users of vulnerable versions who handle sensitive files through this application.

📋 TL;DR

Systemic Risk Value versions up to 2.8.0 have an improper access control vulnerability in the file download endpoint. Attackers can access unauthorized files by manipulating predictable numerical IDs in the URL parameter. This affects all users of vulnerable versions who handle sensitive files through this application.

💻 Affected Systems

Products:

Systemic Risk Value

Versions: <=2.8.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default configuration when file upload/download functionality is used.

📦 What is this software?

Risk Value by Systemic Rm

View all CVEs affecting Risk Value →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete exposure of all uploaded files including sensitive documents, credentials, or proprietary data leading to data breach, compliance violations, and reputational damage.

🟠

Likely Case

Unauthorized access to confidential files containing business information, personal data, or operational details that could be used for further attacks.

🟢

If Mitigated

Limited exposure of non-sensitive files or partial data leakage if proper file classification and access controls are implemented elsewhere.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple ID enumeration attack requiring no authentication or special tools.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

No official patch available. Upgrade to version >2.8.0 if available, otherwise implement workarounds.

🔧 Temporary Workarounds

Web Application Firewall Rule

all

Block access to vulnerable endpoint or implement rate limiting

WAF specific - configure rule to block /RiskValue/GroupingEntities/Controls/GetFile.aspx

Authentication Enforcement

all

Require authentication for all file access endpoints

Application configuration - enforce authentication middleware

🧯 If You Can't Patch

Implement proper access control checks in the GetFile.aspx endpoint
Use unpredictable file identifiers (GUIDs instead of sequential numbers)

🔍 How to Verify

Check if Vulnerable:

Attempt to access files by incrementing/decrementing ID parameter in /RiskValue/GroupingEntities/Controls/GetFile.aspx?ID=

Check Version:

Check application version in admin panel or configuration files

Verify Fix Applied:

Verify that file access requires proper authentication and authorization checks

📡 Detection & Monitoring

Log Indicators:

Multiple sequential requests to GetFile.aspx with different ID parameters
Access denied errors followed by successful file downloads

Network Indicators:

Unusual patterns of file download requests
Bursts of requests to the vulnerable endpoint

SIEM Query:

source="web_logs" AND uri="/RiskValue/GroupingEntities/Controls/GetFile.aspx" AND (status=200 OR status=403) | stats count by client_ip, uri

📊 Metadata

CVE ID: CVE-2025-26138

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-284

EPSS Score: 0.09% exploit probability (26.2th percentile)

Published: March 18, 2025

Last Updated: April 1, 2025

🔗 References

https://github.com/Arakiba/CVEs/tree/main/CVE-2025-26138 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-26138, you might also want to check these: