CVE-2025-60805
📋 TL;DR
This vulnerability in BESSystem BES Application Server allows unauthorized attackers to access sensitive information through improper configuration of the 'pre-resource' option in bes-web.xml files. It affects all BES Application Server versions up to and including 9.5.x. Attackers can exploit this without authentication to potentially access configuration data, credentials, or other sensitive information.
💻 Affected Systems
- BESSystem BES Application Server
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain access to sensitive configuration files containing database credentials, API keys, or other secrets, leading to full system compromise or data breach.
Likely Case
Unauthenticated attackers access application configuration details, potentially revealing internal system information that could facilitate further attacks.
If Mitigated
With proper network segmentation and access controls, impact is limited to information disclosure without direct system compromise.
🎯 Exploit Status
The GitHub gist reference contains technical details that could be used to create exploits; exploitation requires understanding of bes-web.xml structure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.bessystem.com/product/0ad9b8c4d6af462b8d15723a5f25a87d/info?p=101
Restart Required: Yes
Instructions:
1. Check vendor advisory for patch availability. 2. If patch exists, download from official vendor site. 3. Apply patch following vendor instructions. 4. Restart BES Application Server services.
🔧 Temporary Workarounds
Restrict bes-web.xml access
allConfigure web server to deny direct access to bes-web.xml files
# Apache: Add to .htaccess or virtual host config
<Files "bes-web.xml">
Require all denied
</Files>
# Nginx: Add to server block
location ~* /bes-web\.xml$ {
deny all;
}
Remove sensitive data from bes-web.xml
allReview and sanitize bes-web.xml files to remove any sensitive information
# Review bes-web.xml files for sensitive data
find /path/to/bes -name "bes-web.xml" -exec grep -l "password\|secret\|key" {} \;
# Backup before editing
cp bes-web.xml bes-web.xml.backup
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the BES Application Server
- Deploy a web application firewall (WAF) with rules to block access to bes-web.xml files
🔍 How to Verify
Check if Vulnerable:
Attempt to access http://[server]/[context]/bes-web.xml and check if configuration file is accessible without authenticationCheck Version:
Check BES Application Server version in administration console or via besadmin command line toolVerify Fix Applied:
After applying controls, verify bes-web.xml files are no longer accessible via direct HTTP requests📡 Detection & Monitoring
Log Indicators:
- HTTP requests for bes-web.xml files in access logs
- 403 or 404 errors for bes-web.xml access attempts after remediation
Network Indicators:
- Unusual requests to bes-web.xml paths from external IPs
- Multiple rapid requests for configuration files
SIEM Query:
source="web_access_logs" AND (uri="*bes-web.xml" OR uri="*/bes-web.xml")