CVE-2025-66956

CriticalUpdated

Published: 11 March 2026

Published

11 March 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0014 34.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-66956 is a critical-severity Improper Access Control (CWE-284) vulnerability in Asseco SEE Live (inferred from references). Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-24 (Access Control Decisions).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for logical access to information and system resources, directly addressing the insecure access control that allows remote attackers to access attachments via computable URLs.

AC-24 Access Control Decisions partial match

prevent

Authorizes access to system resources based on access control decisions, mitigating the bypass of restrictions through computable URLs in the affected components.

AC-6 Least Privilege partial match

prevent

Employs least privilege to restrict low-privilege accounts from enabling unauthorized access and execution of attachments over the network.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Insecure access control in network-accessible components allows remote low-privileged attackers to access and execute attachments via crafted URLs, enabling exploitation of a public-facing application for potential full system compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Insecure Access Control in Contact Plan, E-Mail, SMS and Fax components in Asseco SEE Live 2.0 allows remote attackers to access and execute attachments via a computable URL.

Deeper analysisAI

CVE-2025-66956 is an insecure access control vulnerability (CWE-284) in the Contact Plan, E-Mail, SMS, and Fax components of Asseco SEE Live 2.0. Published on 2026-03-11T21:16:13.037, it carries a CVSS v3.1 base score of 9.9 (Critical), indicating severe risk due to its network accessibility, low complexity, and broad impact potential. The issue enables remote attackers to access and execute attachments through a computable URL, bypassing intended restrictions.

Attackers require only low privileges (PR:L) to exploit the vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation leads to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with a change in scope (S:C), allowing unauthorized access and execution of attachments that could facilitate further compromise, such as code execution or data exfiltration.

Mitigation guidance and additional details are available in vendor advisories and resources, including http://asseco.com, https://github.com/TheWoodenBench/CVE-2025-66956, and https://live.asee.io/. Security practitioners should consult these references for patching instructions and workarounds specific to Asseco SEE Live 2.0 deployments.