Description
An Unauthenticated Arbitrary File Read vulnerability affects the Agent when installed on a system. The parameter filename does not validate the path thus allowing users to read arbitrary files. As the application runs with the highest privileges (root/NT_AUTHORITY SYSTEM) by default attackers are able to obtain sensitive information. This issue affects Avid NEXIS E-series: before 2025.5.1; Avid NEXIS F-series: before 2025.5.1; Avid NEXIS PRO+: before 2025.5.1; System Director Appliance (SDA+): before 2025.5.1.
CVSS breakdown
CVSS 4.0
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
None
User Interaction
None
Confidentiality (Vulnerable System)
High
Integrity (Vulnerable System)
None
Availability (Vulnerable System)
None
Confidentiality (Subsequent System)
None
Integrity (Subsequent System)
None
Availability (Subsequent System)
None
Affected products
- Avid / Avid NEXIS E-series0 – 2025.5.1
- Avid / Avid NEXIS F-series0 – 2025.5.1
- Avid / Avid NEXIS PRO+0 – 2025.5.1
- Avid / System Director Appliance (SDA+)0 – 2025.5.1
Exploits & PoCs
- nucleiAvid NEXIS Agent - Arbitrary File Readby DhiyaneshDK