CVE-2025-2493
Published: 18 March 2025
Summary
CVE-2025-2493 is a high-severity Path Traversal (CWE-22) vulnerability in Sytel Softdial Contact Center. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-2493, published on 2025-03-18, is a Path Traversal vulnerability (CWE-22) in Softdial Contact Center from Sytel Ltd. The flaw affects the ‘/softdial/scheduler/load.php’ endpoint, where attackers can manipulate the ‘id’ parameter to navigate beyond the intended directory boundaries. This enables unauthorized access to sensitive files outside the expected scope, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact.
The vulnerability is exploitable remotely over the network by any unauthenticated attacker (PR:N) using low-complexity techniques (AC:L) without requiring user interaction (UI:N). Successful exploitation grants high-level (C:H) read access to sensitive files, while leaving integrity (I:N) and availability (A:N) unaffected and scope unchanged (S:U).
The INCIBE-CERT advisory (https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-softdial-contact-center) covers this path traversal issue among multiple vulnerabilities in Softdial Contact Center. Security practitioners should review the notice for recommended mitigations, including any available patches or workarounds.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7569
- 🇪🇸 INCIBE: www.incibe.es
Vulnerability details
Path Traversal vulnerability in Softdial Contact Center of Sytel Ltd. This vulnerability allows an attacker to manipulate the ‘id’ parameter of the ‘/softdial/scheduler/load.php’ endpoint to navigate beyond the intended directory. This can allow unauthorised access to sensitive files outside the…
more
expected scope, posing a security risk.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing web app directly enables T1190 for remote exploitation and facilitates T1005 by allowing unauthorized read access to sensitive local system files.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of the 'id' parameter in the load.php endpoint to block path traversal sequences like '../'.
Mandates identification, reporting, and timely correction of the path traversal flaw in Softdial Contact Center.
Enforces access control policies to restrict file reads to only the intended directory despite manipulated inputs.