Description
Insecure Access Control in Contact Plan, E-Mail, SMS and Fax components in Asseco SEE Live 2.0 allows remote attackers to access and execute attachments via a computable URL.
Published: 2026-03-11
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access / Remote Execution
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is an insecure access control flaw in the Contact Plan, E‑Mail, SMS and Fax components of Asseco SEE Live 2.0. A remote attacker who can guess or compute the attachment URL can download and execute attachments without authentication. This grants the attacker potential read access to sensitive information or the ability to execute arbitrary code if the attachment content can be abused. The weakness is listed as CWE‑284 – Failure to Restrict the Use of One or More Privileges.

Affected Systems

The affected product is Asseco SEE Live 2.0. Vulnerable components include Contact Plan, E‑Mail, SMS and Fax. No granular versioning is provided, but the issue applies to the 2.0 release line. No vendor‑specific product mapping or patch version is available in the data.

Risk and Exploitability

The CVSS base score is 9.9, indicating critical severity. EPSS is below 1 %, suggesting exploitation likelihood is low at present. It is not listed in the CISA KEV catalog. Attackers can exploit this remotely by constructing a valid URL to the attachment; authentication is not required. The vulnerability does not require local privilege escalation, so attack may be achievable from external network connections.

Generated by OpenCVE AI on March 17, 2026 at 15:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify whether your infrastructure runs Asseco SEE Live 2.0 and confirm the presence of components Contact Plan, E‑Mail, SMS and Fax.
  • Check Asseco’s support or security portal for a patch or update addressing the access‑control flaw.
  • Apply the approved patch or upgrade to a later release as soon as it becomes available.
  • If a patch is not yet available, block external access to the URL patterns that expose attachments, or place the affected services behind a firewall or proxy that requires authentication before allowing URL access.
  • Monitor logs for suspicious attachment download activity and consider disabling or restricting the attachment feature until a fix is applied.

Generated by OpenCVE AI on March 17, 2026 at 15:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
Title Insecure Access Control in Asseco SEE Live 2.0 – Remote Retrieval and Execution of Attachments

Fri, 13 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
References

Fri, 13 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Asseco
Asseco see Live
Vendors & Products Asseco
Asseco see Live

Wed, 11 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Insecure Access Control in Contact Plan, E-Mail, SMS and Fax components in Asseco SEE Live 2.0 allows remote attackers to access and execute attachments via a computable URL.
References

Subscriptions

Asseco See Live
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-13T15:10:17.209Z

Reserved: 2025-12-08T00:00:00.000Z

Link: CVE-2025-66956

cve-icon Vulnrichment

Updated: 2026-03-11T20:29:10.200Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T21:16:13.037

Modified: 2026-03-13T19:53:53.083

Link: CVE-2025-66956

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:33:54Z

Weaknesses