CVE-2024-26291

Summary

An Unauthenticated Arbitrary File Read vulnerability affects the Agent when installed on a system. The parameter filename does not validate the path thus allowing users to read arbitrary files. As the application runs with the highest privileges (root/NT_AUTHORITY SYSTEM) by default attackers are able to obtain sensitive information.

This issue affects Avid NEXIS E-series: before 2025.5.1; Avid NEXIS F-series: before 2025.5.1; Avid NEXIS PRO+: before 2025.5.1; System Director Appliance (SDA+): before 2025.5.1.

Affected Software

VendorProductVersion RangeStatus
AvidAvid NEXIS E-series0 < 2025.5.1affected
AvidAvid NEXIS F-series0 < 2025.5.1affected
AvidAvid NEXIS PRO+0 < 2025.5.1affected
AvidSystem Director Appliance (SDA+)0 < 2025.5.1affected

Weaknesses

  • CWE-285: CWE-285: Improper Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References