Cyber Resilience

CVE-2025-66956

Critical

Published: 11 March 2026

Published
11 March 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0058 43.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-66956 is a critical-severity Improper Access Control (CWE-284) vulnerability in Asseco SEE Live (inferred from references). Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-24 (Access Control Decisions).

Deeper analysis

CVE-2025-66956 is an insecure access control vulnerability (CWE-284) in the Contact Plan, E-Mail, SMS, and Fax components of Asseco SEE Live 2.0. Published on 2026-03-11T21:16:13.037, it carries a CVSS v3.1 base score of 9.9 (Critical), indicating severe risk due to its network accessibility, low complexity, and broad impact potential. The issue enables remote attackers to access and execute attachments through a computable URL, bypassing intended restrictions.

Attackers require only low privileges (PR:L) to exploit the vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation leads to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with a change in scope (S:C), allowing unauthorized access and execution of attachments that could facilitate further compromise, such as code execution or data exfiltration.

Mitigation guidance and additional details are available in vendor advisories and resources, including http://asseco.com, https://github.com/TheWoodenBench/CVE-2025-66956, and https://live.asee.io/. Security practitioners should consult these references for patching instructions and workarounds specific to Asseco SEE Live 2.0 deployments.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Insecure Access Control in Contact Plan, E-Mail, SMS and Fax components in Asseco SEE Live 2.0 allows remote attackers to access and execute attachments via a computable URL.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Insecure access control in network-accessible components allows remote low-privileged attackers to access and execute attachments via crafted URLs, enabling exploitation of a public-facing application for potential full system compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7198Shared CWE-284
CVE-2026-46818Shared CWE-284
CVE-2025-70363Shared CWE-284
CVE-2026-34310Shared CWE-284
CVE-2026-46839Shared CWE-284
CVE-2026-34287Shared CWE-284
CVE-2026-44277Shared CWE-284
CVE-2025-66509Shared CWE-284
CVE-2025-50900Shared CWE-284
CVE-2025-7016Shared CWE-284

Affected Assets

Asseco
SEE Live
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access to information and system resources, directly addressing the insecure access control that allows remote attackers to access attachments via computable URLs.

prevent

Authorizes access to system resources based on access control decisions, mitigating the bypass of restrictions through computable URLs in the affected components.

prevent

Employs least privilege to restrict low-privilege accounts from enabling unauthorized access and execution of attachments over the network.

References