CVE-2025-59895
Published: 28 January 2026
Summary
CVE-2025-59895 is a high-severity Improper Input Validation (CWE-20) vulnerability in Flexense Diskpulse. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-59895 is a remote denial-of-service (DoS) vulnerability in the configuration restore functionality of Sync Breeze Enterprise Server version 10.4.18 and Disk Pulse Enterprise version 10.4.18. The issue arises from insufficient validation of user-supplied data (CWE-20), allowing malicious input to corrupt the configuration file. Published on 2026-01-28, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact with no confidentiality or integrity effects.
An unauthenticated remote attacker can exploit this vulnerability by sending crafted requests over the network to the affected service. Successful exploitation alters the configuration file, rendering the application unresponsive and potentially preventing the service from restarting, even manually. Recovery may necessitate a complete reinstallation, as the corruption can make the service irrecoverable without intervention.
The INCIBE-CERT advisory on multiple vulnerabilities in Flexense products provides additional details: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206494
- 🇪🇸 INCIBE: www.incibe.es
Vulnerability details
Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a remote denial-of-service (DoS) vulnerability in the configuration restore functionality. The issue is due to insufficient validation of user-supplied data during this process. An attacker could send malicious requests…
more
to alter the configuration file, causing the application to become unresponsive. In a successful scenario, the service may not recover on its own and require a complete reinstallation, as the configuration becomes corrupted and prevents the service from restarting, even manually.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote unauthenticated exploitation of a public-facing server application (T1190) via crafted input to trigger application/system DoS through exploitation (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the insufficient validation of user-supplied data (CWE-20) during configuration restore, preventing malicious inputs from corrupting the configuration file.
Protects against remote denial-of-service attacks by limiting effects and detecting malicious requests targeting the configuration restore functionality.
Provides procedures for system recovery and reconstitution after configuration corruption, mitigating the need for complete reinstallation.