Description
A stack-based buffer overflow vulnerability exists in the built-in web interface of DiskBoss Enterprise versions 7.4.28, 7.5.12, and 8.2.14. The vulnerability arises from improper bounds checking on the path component of HTTP GET requests. By sending a specially crafted long URI, a remote unauthenticated attacker can trigger a buffer overflow, potentially leading to arbitrary code execution with SYSTEM privileges on vulnerable Windows hosts.
Published: 2025-07-15
Score: 10 Critical
EPSS: 53.3% High
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A stack-based buffer overflow exists in the built-in web interface of DiskBoss Enterprise, caused by improper bounds checking on the path component of HTTP GET requests. A remote unauthenticated attacker can send a specially crafted long URI to trigger the overflow, potentially resulting in arbitrary code execution with SYSTEM privileges on Windows hosts.

Affected Systems

The vulnerability affects Flexense DiskBoss Enterprise versions 7.4.28, 7.5.12, and 8.2.14. Users running these versions on Windows operating systems are at risk.

Risk and Exploitability

This flaw has a CVSS score of 10 and an EPSS score of 53%, indicating a very high likelihood of exploitation in the wild. Although it is not listed in the CISA KEV catalog, the high EPSS suggests that attackers are already actively seeking this vulnerability. The attack vector is inferred to be an unauthenticated HTTP GET request to the web interface, which an attacker can craft from anywhere on the network, making it especially dangerous for externally exposed instances.

Generated by OpenCVE AI on April 28, 2026 at 11:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor-released fix for DiskBoss Enterprise versions 7.4.28, 7.5.12, and 8.2.14 as soon as it is available.
  • If a patch is not yet available, restrict external access to the DiskBoss web interface to trusted IP addresses or VPN only.
  • Consider disabling or removing the feature that parses long URI paths until a patch is applied.
  • Monitor Windows event logs for signs of unusual activity that may indicate an attempted or successful exploitation.

Generated by OpenCVE AI on April 28, 2026 at 11:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21434 A stack-based buffer overflow vulnerability exists in the built-in web interface of DiskBoss Enterprise versions 7.4.28, 7.5.12, and 8.2.14. The vulnerability arises from improper bounds checking on the path component of HTTP GET requests. By sending a specially crafted long URI, a remote unauthenticated attacker can trigger a buffer overflow, potentially leading to arbitrary code execution with SYSTEM privileges on vulnerable Windows hosts.
History

Fri, 21 Nov 2025 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Flexense
Flexense diskboss
CPEs cpe:2.3:a:flexense:diskboss:7.4.28:*:*:*:*:*:*:*
cpe:2.3:a:flexense:diskboss:7.5.12:*:*:*:*:*:*:*
cpe:2.3:a:flexense:diskboss:8.2.14:*:*:*:*:*:*:*
Vendors & Products Flexense
Flexense diskboss

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00212}

Tue, 15 Jul 2025 14:30:00 +0000

Type Values Removed Values Added
References

Tue, 15 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 15 Jul 2025 14:00:00 +0000

Type Values Removed Values Added
References

Tue, 15 Jul 2025 13:15:00 +0000

Type Values Removed Values Added
Description A stack-based buffer overflow vulnerability exists in the built-in web interface of DiskBoss Enterprise versions 7.4.28, 7.5.12, and 8.2.14. The vulnerability arises from improper bounds checking on the path component of HTTP GET requests. By sending a specially crafted long URI, a remote unauthenticated attacker can trigger a buffer overflow, potentially leading to arbitrary code execution with SYSTEM privileges on vulnerable Windows hosts.
Title DiskBoss Enterprise Stack-Based Buffer Overflow RCE
Weaknesses CWE-20
CWE-787
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Flexense Diskboss
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-07T14:09:33.315Z

Reserved: 2025-04-15T19:15:22.557Z

Link: CVE-2025-34105

cve-icon Vulnrichment

Updated: 2025-07-15T13:39:01.253Z

cve-icon NVD

Status : Deferred

Published: 2025-07-15T13:15:30.107

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-34105

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T11:15:26Z

Weaknesses