cbcvebase.
CVE-2024-26291
published 2025-07-14

CVE-2024-26291: An Unauthenticated Arbitrary File Read vulnerability affects the Agent when installed on a system. The parameter filename does not validate the path thus…

PriorityP260high8.7CVSS 4.0
AVNACLATNPRNUINVCHVINVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.08%
61.0th percentile
An Unauthenticated Arbitrary File Read vulnerability affects the Agent when installed on a system. The parameter filename does not validate the path thus allowing users to read arbitrary files. As the application runs with the highest privileges (root/NT_AUTHORITY SYSTEM) by default attackers are able to obtain sensitive information. This issue affects Avid NEXIS E-series: before 2025.5.1; Avid NEXIS F-series: before 2025.5.1; Avid NEXIS PRO+: before 2025.5.1; System Director Appliance (SDA+): before 2025.5.1.

Affected

4 ranges
VendorProductVersion rangeFixed in
avidavid_nexis_e-series< 2025.5.12025.5.1
avidavid_nexis_f-series< 2025.5.12025.5.1
avidavid_nexis_pro< 2025.5.12025.5.1
avidsystem_director_appliance< 2025.5.12025.5.1

Detection & IOCsextracted from sources · hover to see the quote

urlGET /logs?filename=%2Fetc%2Fpasswd HTTP/1.1
urlGET /logs?filename=C%3A%5CWindows%5Cwin.ini HTTP/1.1
path/logs
  • Look for HTTP requests to the /logs endpoint with a filename parameter containing path traversal sequences (e.g., %2F, %5C, ../) — this is the vulnerable parameter enabling arbitrary file read.
  • Responses from the vulnerable Avid NEXIS Agent will include the 'gSOAP' string in the HTTP response header — use this to fingerprint the service.
  • Use FOFA or similar asset discovery with the query body="Avid Nexis" to identify exposed Avid NEXIS Agent instances on the internet.
  • No authentication is required to exploit this vulnerability — any unauthenticated GET request to /logs?filename= with an arbitrary path is sufficient.
  • ·The vulnerability affects Avid NEXIS Agent running as root (Linux) or NT_AUTHORITY SYSTEM (Windows) by default, meaning file reads are not restricted by OS-level permissions.
  • ·All affected product lines (E-series, F-series, PRO+, SDA+) share the same vulnerable Agent component and endpoint — detections should not be scoped to a single product variant.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.