The vulnerability in Mimecast Incydr prior to version 2.6.0 allows arbitrary file access, enabling a threat actor to read or modify any file accessible to the Incydr agent process. This weakness is identified as CWE-732, which involves incorrect permission allocation. The potential impact includes unauthorized disclosure or alteration of data stored on the host where the agent runs, compromising confidentiality and integrity. The CVSS score of 4.5 indicates a moderate severity that could be significant, especially in environments where sensitive documents are stored on endpoints.

Mimecast Incydr, any version before 2.6.0. The only vendor‑product pair identified is Mimecast:Incydr. No additional specific sub‑product or version details are listed beyond the stated pre‑2.6.0 baseline.

The issue carries a moderate CVSS score of 4.5 and is not listed in CISA’s KEV catalog; its EPSS is not available. The attack vector is not explicitly documented in the description, so the vulnerability is likely exploitable via local privilege escalation or by compromising the Incydr agent, which runs on the target machine. If an adversary can execute code within the same context as the agent, they could read any file the user or system can access, but no documented remote exploitation path is indicated in the available data.