CVE-2025-66386
📋 TL;DR
This CVE describes a path traversal vulnerability in MISP's EventReport.php that allows site-admin users to access files outside the intended directory when viewing pictures. The vulnerability affects MISP instances running versions before 2.5.27 and requires site-admin privileges to exploit.
💻 Affected Systems
- MISP (Malware Information Sharing Platform & Threat Sharing)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
A compromised site-admin account could read sensitive system files, configuration files, or other restricted data through directory traversal, potentially leading to further system compromise.
Likely Case
Authorized site-admin users could unintentionally or intentionally access files they shouldn't be able to view, violating data confidentiality boundaries.
If Mitigated
With proper access controls and monitoring, the impact is limited to authorized users accessing files they shouldn't, which can be detected and investigated.
🎯 Exploit Status
Exploitation requires site-admin privileges. The vulnerability is in the picture viewing functionality of EventReport.php.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.5.27
Vendor Advisory: https://github.com/MISP/MISP/commit/7f4a0386d38672eddc139f5735d71c3b749623ce
Restart Required: No
Instructions:
1. Backup your MISP instance and database. 2. Update to MISP version 2.5.27 or later. 3. Follow standard MISP update procedures from the official documentation.
🔧 Temporary Workarounds
Restrict site-admin access
allLimit the number of site-admin users and implement strict access controls for these accounts.
Monitor file access patterns
allImplement monitoring for unusual file access patterns from site-admin accounts.
🧯 If You Can't Patch
- Implement strict monitoring and alerting for site-admin file access activities
- Review and reduce site-admin privileges to minimum necessary levels
🔍 How to Verify
Check if Vulnerable:
Check your MISP version. If it's below 2.5.27, you are vulnerable if you have site-admin users.Check Version:
php /var/www/MISP/app/Console/cake Admin getSetting MISP.versionVerify Fix Applied:
Verify that your MISP version is 2.5.27 or higher by checking the version in the web interface or via command line.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in web server logs
- Multiple failed or unusual file requests from site-admin accounts
Network Indicators:
- Unusual outbound data transfers following file access patterns
SIEM Query:
source="misp_access_logs" AND (uri CONTAINS "EventReport" OR uri CONTAINS "viewPicture") AND (user="site-admin" OR user_role="site-admin") AND (uri CONTAINS "../" OR uri CONTAINS "..\")