CVE-2025-59709 - Vulnerability Details

Description

An issue was discovered in Biztalk360 through 11.5. because of mishandling of user-provided input in a path to be read by the server, a Super User attacker is able to read files on the system and/or coerce an authentication from the service, aka Directory Traversal.

Published: 2026-04-03

Score: 6.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a classic directory traversal flaw that allows an attacker with super user privileges to craft a file path that bypasses normal access controls. By supplying such a path to the application, the attacker can read any file that the local file system permits the process to read, or potentially force the service to perform an authentication operation. This leads to exposure of sensitive configuration data, credentials, or other confidential information, compromising confidentiality and potentially integrity if the attacker can influence authentication logic.

Affected Systems

KOVAI Biztalk360 installations running versions up to and including 11.5 are affected.

Risk and Exploitability

The CVSS score of 6.8 indicates moderate severity. Exploit probability, according to EPSS, is below 1% and the vulnerability is not listed in the CISA KEV catalog, suggesting limited known exploitation. Successful exploitation requires the attacker to already possess super user access or to elevate privileges to that level; therefore the risk is primarily for systems with compromised or privileged users. If such access exists, the attacker can easily supply a malicious path to read arbitrary files, making the threat significant but the likelihood of a fresh attack low unless privileged credentials are exposed.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:kovai:biztalk360:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Biztalk360

80%

Version	Status	Scheme	Platform
`[0,11.5]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Biztalk360 patch (version 11.5 or newer).
If a patch is unavailable, enforce strict input validation to reject paths containing directory traversal characters.
Restrict the ability of non‑administrator processes to read arbitrary files on the system.

Generated by OpenCVE AI on April 9, 2026 at 02:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0018.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://www.synacktiv.com/en/advisories/remote-code-execution-from-any-domain-account-in-biztalk360

History

Fri, 10 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 09 Apr 2026 08:30:00 +0000

Type	Values Removed	Values Added
Title	Directory Traversal Allowing Super User File Read in Biztalk360

Thu, 09 Apr 2026 01:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Kovai Kovai biztalk360
CPEs		cpe:2.3:a:kovai:biztalk360::::::::
Vendors & Products		Kovai Kovai biztalk360
Metrics		cvssV3_1 `{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N'}`

Tue, 07 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Biztalk360 Biztalk360 biztalk360
Vendors & Products		Biztalk360 Biztalk360 biztalk360

Fri, 03 Apr 2026 21:30:00 +0000

Type	Values Removed	Values Added
Title		Directory Traversal Allowing Super User File Read in Biztalk360
Weaknesses		CWE-22

Fri, 03 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Description		An issue was discovered in Biztalk360 through 11.5. because of mishandling of user-provided input in a path to be read by the server, a Super User attacker is able to read files on the system and/or coerce an authentication from the service, aka Directory Traversal.
References		https://www.synacktiv.com/en/advisories/remote-code-execution-from-any-domain-account-in-biztalk360

Subscriptions

Biztalk360 Biztalk360

Kovai Biztalk360

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-04-03T00:00:00.000Z

Updated: 2026-04-09T20:33:34.007Z

Reserved: 2025-09-19T00:00:00.000Z

Link: CVE-2025-59709

Vulnrichment

Updated: 2026-04-09T17:29:52.271Z

NVD

Status : Modified

Published: 2026-04-03T15:16:03.817

Modified: 2026-04-09T21:16:07.163

Link: CVE-2025-59709

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-09T08:29:22Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object