CVE Alert: CVE-2025-9639 – Ai3 – QbiCRMGateway

Risk verdict

High risk: unauthenticated remote arbitrary file reading via relative path traversal with external exposure; patch urgently.

Why this matters

Attachers can fetch arbitrary system files, potentially exposing credentials or sensitive configuration. Combined with network-facing access, this can enable data leakage, disclosure of secrets, or groundwork for further compromise with little/no user interaction.

Most likely attack path

Direct, unauthenticated requests over the network to the vulnerable endpoint, exploiting relative path traversal to download files. No privileges required and no user interaction, so attacker can target sensitive files immediately. Scope remains unchanged, but successful reads could facilitate credential or config exposure for further moves.

Who is most exposed

Organisations deploying QbiCRMGateway at the network edge or as an internet-facing API gateway are most at risk; those with external exposure and access to server file systems should prioritise remediation.

Detection ideas

• Logs showing path traversal patterns (../ or ..\) targeting file download endpoints.
• Unusual spikes in requests aiming at sensitive file names (e.g., system config or credential files).
• Increased outbound data transfers following such requests.
• WAF/IPS alerts for traversal attempts across gateway endpoints.
• Anomalous 200 responses returning file-like content to unauthenticated clients.

Mitigation and prioritisation

• Patch to v8.5.04 or later immediately.
• If patching is delayed, deploy compensating controls (Web Application Firewall rules to block path traversal; restrict file-system access; disable directory listing).
• Implement input validation/sanitisation and a strict allowlist for permissible file access; review code paths handling file reads.
• Apply least-privilege and network segmentation; monitor and alert on suspicious file access activity.
• If KEV is true or EPSS ≥ 0.5, treat as priority 1. If those indicators are not available, still prioritise within your standard change window given external exposure.