CVE-2025-59895

Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a remote denial-of-service (DoS) vulnerability in the configuration restore functionality. The issue is due to insufficient validation of user-supplied data during this process. An attacker could send malicious requests to alter the configuration file, causing the application to become unresponsive. In a successful scenario, the service may not recover on its own and require a complete reinstallation, as the configuration becomes corrupted and prevents the service from restarting, even manually.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:flexense:diskpulse:10.4.18::::enterprise:::
	cpe:2.3:a:flexense:syncbreeze:10.4.18::::enterprise:::

History

No history.

Information

Published : 2026-01-28 12:15

Updated : 2026-02-10 21:07

NVD link : CVE-2025-59895

Mitre link : CVE-2025-59895

CVE.ORG link : CVE-2025-59895

JSON object : View

Products Affected

flexense

diskpulse
syncbreeze

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2025-59895", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "cve-coordination@incibe.es", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-01-28T12:15:51.093", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products", "tags": ["Third Party Advisory"], "source": "cve-coordination@incibe.es"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "cve-coordination@incibe.es", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a remote denial-of-service (DoS) vulnerability in the configuration restore functionality. The issue is due to insufficient validation of user-supplied data during this process. An attacker could send malicious requests to alter the configuration file, causing the application to become unresponsive. In a successful scenario, the service may not recover on its own and require a complete reinstallation, as the configuration becomes corrupted and prevents the service from restarting, even manually."}, {"lang": "es", "value": "Sync Breeze Enterprise Server v10.4.18 y Disk Pulse Enterprise v10.4.18 contienen una vulnerabilidad de denegaci\u00f3n de servicio (DoS) remota en la funcionalidad de restauraci\u00f3n de configuraci\u00f3n. El problema se debe a una validaci\u00f3n insuficiente de los datos proporcionados por el usuario durante este proceso. Un atacante podr\u00eda enviar solicitudes maliciosas para alterar el archivo de configuraci\u00f3n, provocando que la aplicaci\u00f3n deje de responder. En un escenario exitoso, el servicio podr\u00eda no recuperarse por s\u00ed solo y requerir una reinstalaci\u00f3n completa, ya que la configuraci\u00f3n se corrompe e impide que el servicio se reinicie, incluso manualmente."}], "lastModified": "2026-02-10T21:07:26.960", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:flexense:diskpulse:10.4.18:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "0DFC56D8-390C-44BD-B53F-89BD72D230C3"}, {"criteria": "cpe:2.3:a:flexense:syncbreeze:10.4.18:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "3CB4F42C-FC29-4084-BBDC-352145F53A35"}], "operator": "OR"}]}], "sourceIdentifier": "cve-coordination@incibe.es"}