Description
An issue was discovered in Biztalk360 before 11.5. Because of mishandling of user-provided input in an upload mechanism, an authenticated attacker is able to write files outside of the destination directory and/or coerce an authentication from the service, aka Directory Traversal.
Published: 2026-04-03
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized file writes enabling potential remote code execution
Action: Patch
AI Analysis

Impact

A directory traversal flaw in the file upload feature of Biztalk360 allows an authenticated user to place files outside the intended directory. This can overwrite configuration files or drop malicious payloads, leading to unauthorized file writes and the potential for remote code execution.

Affected Systems

Biztalk360 versions older than 11.5, deployed on servers that use the default upload interface, are susceptible. The flaw is present in the upload component that accepts user‑supplied files. Any system running a pre‑11.5 release of Biztalk360 is affected.

Risk and Exploitability

The vulnerability scores a CVSS of 8.3, signifying high severity, and an EPSS below 1%, indicating a low current likelihood of exploitation. It is not listed in the CISA KEV catalog. An attacker must be authenticated to the Biztalk360 service to abuse the flaw, but once authenticated they can write files beyond the intended scope, offering a path to compromise the system.

Generated by OpenCVE AI on April 9, 2026 at 01:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Biztalk360 to version 11.5 or later.
  • If an upgrade is not immediately possible, restrict file uploads to trusted users and validate all file paths before writing to disk.
  • Configure file system permissions so that the Biztalk360 service can write only within the designated upload directory.
  • Monitor upload logs for unexpected file names or paths and investigate any suspicious activity.

Generated by OpenCVE AI on April 9, 2026 at 01:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Title Directory Traversal Leading to Unauthorized File Write in Biztalk360

Thu, 09 Apr 2026 00:30:00 +0000

Type Values Removed Values Added
First Time appeared Kovai
Kovai biztalk360
CPEs cpe:2.3:a:kovai:biztalk360:*:*:*:*:*:*:*:*
Vendors & Products Kovai
Kovai biztalk360

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Biztalk360
Biztalk360 biztalk360
Vendors & Products Biztalk360
Biztalk360 biztalk360

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Title Directory Traversal Leading to Unauthorized File Write in Biztalk360

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Biztalk360 before 11.5. Because of mishandling of user-provided input in an upload mechanism, an authenticated attacker is able to write files outside of the destination directory and/or coerce an authentication from the service, aka Directory Traversal.
References

Subscriptions

Biztalk360 Biztalk360
Kovai Biztalk360
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-03T15:12:37.606Z

Reserved: 2025-09-19T00:00:00.000Z

Link: CVE-2025-59711

cve-icon Vulnrichment

Updated: 2026-04-03T15:08:33.167Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T15:16:04.637

Modified: 2026-04-09T00:30:06.267

Link: CVE-2025-59711

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:29:20Z

Weaknesses