PT-2025-29436 · Avid · Avid Nexis Pro++2
Cert-Bund
+1
·
Published
2025-07-14
·
Updated
2026-04-22
·
CVE-2024-26291
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions:
Avid NEXIS E-series versions prior to 2025.5.1
Avid NEXIS F-series versions prior to 2025.5.1
Avid NEXIS PRO+ versions prior to 2025.5.1
System Director Appliance (SDA+) versions prior to 2025.5.1
Description:
The application is susceptible to an unauthenticated arbitrary file read issue. The
filename parameter does not properly validate file paths, allowing unauthorized users to read arbitrary files. Because the application operates with elevated privileges (root/NT AUTHORITY SYSTEM), attackers can potentially access sensitive information.Recommendations:
Avid NEXIS E-series versions prior to 2025.5.1: Upgrade to version 2025.5.1 or later.
Avid NEXIS F-series versions prior to 2025.5.1: Upgrade to version 2025.5.1 or later.
Avid NEXIS PRO+ versions prior to 2025.5.1: Upgrade to version 2025.5.1 or later.
System Director Appliance (SDA+) versions prior to 2025.5.1: Upgrade to version 2025.5.1 or later.
Fix
Improper Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Avid Nexis E-Series
Avid Nexis Pro+
System Director Appliance