Cyber Resilience

CVE-2018-25164

HighPublic PoC

Published: 06 March 2026

Published
06 March 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0027 17.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2018-25164 is a high-severity Files or Directories Accessible to External Parties (CWE-552) vulnerability. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-7 (Least Functionality).

Deeper analysis

CVE-2018-25164 is an arbitrary file download vulnerability in EverSync version 0.5. The issue stems from the files directory being directly accessible, enabling unauthenticated attackers to request and retrieve sensitive files, such as the database file db.sq3, which contains application data and credentials. This flaw is classified under CWE-552 (Files or Directories Accessible to External Parties) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting high confidentiality impact with no effects on integrity or availability.

Unauthenticated remote attackers can exploit this vulnerability by sending GET requests directly to the files directory endpoint. No user interaction, privileges, or special conditions are required, making it straightforward to execute over the network. Successful exploitation allows attackers to download sensitive files, exposing application data and credentials stored in databases like db.sq3.

Advisories, including those from VulnCheck, describe the arbitrary file download via the files directory. An exploit proof-of-concept is publicly available on Exploit-DB (exploit 45868), confirming practical exploitability. No specific patches or mitigations are detailed in the provided references.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

EverSync 0.5 contains an arbitrary file download vulnerability that allows unauthenticated attackers to access sensitive files by requesting them directly from the files directory. Attackers can send GET requests to the files directory to download database files like db.sq3 containing…

more

application data and credentials.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Arbitrary file download on public-facing app directly enables remote exploitation (T1190) and retrieval of local files/credentials (T1005, T1552.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-35446Shared CWE-552
CVE-2025-26525Shared CWE-552
CVE-2025-41240Shared CWE-552
CVE-2026-34392Shared CWE-552
CVE-2025-69428Shared CWE-552
CVE-2024-12917Shared CWE-552
CVE-2025-11371Shared CWE-552
CVE-2024-48864Shared CWE-552
CVE-2026-2331Shared CWE-552
CVE-2024-43660Shared CWE-552

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly protects public web servers from unauthorized access to nonpublic sensitive files in exposed directories like the files directory.

prevent

Enforces access control policies to block unauthenticated GET requests to sensitive files and directories.

prevent

Limits web application functionality to essentials, disabling direct access to file directories containing sensitive data like db.sq3.

References