Cyber Resilience

CVE-2025-59894

High

Published: 28 January 2026

Published
28 January 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0012 2.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-59894 is a high-severity CSRF (CWE-352) vulnerability in Flexense Diskpulse. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Link (T1204.001); ranked at the 2.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-59894 is a Cross-Site Request Forgery (CSRF) vulnerability, corresponding to CWE-352, affecting Sync Breeze Enterprise Server version 10.4.18 and Disk Pulse Enterprise version 10.4.18. The flaw arises from the lack of proper CSRF token implementation, allowing an authenticated user to induce another user to perform unwanted actions within the application they are logged into. It has a CVSS v3.1 base score of 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H) and was published on 2026-01-28.

An attacker who has obtained low-privilege authenticated access (PR:L) can exploit this vulnerability remotely over the network (AV:N) by tricking a victim user into interacting with a malicious webpage (UI:R), such as by clicking a crafted link. Successful exploitation enables the attacker to force the victim's browser to submit unauthorized requests on their behalf, potentially leading to high-impact confidentiality, integrity, and availability consequences (C:H/I:H/A:H) in the unchanged scope (S:U). A specific example involves a POST request to the '/delete_all_commands?sid=' endpoint to delete all commands.

The INCIBE-CERT advisory (https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products) documents this vulnerability alongside others in Flexense products and provides associated guidance.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. This vulnerability is possible due to…

more

the lack of proper CSRF token implementation. Among other things, it is possible, using a POST request to delete all commands via '/delete_all_commands?sid='.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Why these techniques?

CSRF flaw directly enables forced actions via crafted malicious links or spearphishing, as described in the UI:R interaction vector.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-59893Same product: Flexense Diskpulse
CVE-2025-59892Same product: Flexense Diskpulse
CVE-2025-59891Same product: Flexense Diskpulse
CVE-2025-59895Same product: Flexense Diskpulse
CVE-2020-36946Same product: Flexense Syncbreeze
CVE-2020-37100Same product: Flexense Syncbreeze
CVE-2020-36927Same product: Flexense Diskpulse
CVE-2024-51144Shared CWE-352
CVE-2026-25812Shared CWE-352
CVE-2026-4922Shared CWE-352

Affected Assets

flexense
diskpulse
10.4.18
flexense
syncbreeze
10.4.18

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 requires mechanisms to protect communications session authenticity, directly mitigating CSRF by preventing forged requests from impersonating legitimate user actions in an authenticated session.

prevent

SI-10 mandates validation of information inputs, such as CSRF tokens, to ensure requests like the '/delete_all_commands' POST are legitimate and not forged by an attacker.

prevent

CM-6 enforces secure configuration settings, including implementation of CSRF protections in the application to address the lack of proper token validation.

References