Platform
other
Component
qbicrmgateway
CVE-2025-9639 describes a Path Traversal vulnerability discovered in the QbiCRMGateway, a product developed by Ai3. This vulnerability allows unauthenticated attackers to read arbitrary files from the system, potentially exposing sensitive data and compromising the integrity of the server. The vulnerability affects versions 7.5.1 through 8.5.03. A patch is expected to be released by the vendor.
The primary impact of this vulnerability is the ability for an attacker to read any file accessible to the QbiCRMGateway process. This could include configuration files containing database credentials, source code, or other sensitive information. Successful exploitation could lead to complete system compromise, data exfiltration, and denial of service. The lack of authentication required for exploitation significantly broadens the attack surface, making it accessible to a wide range of threat actors. A similar vulnerability in another application resulted in the exposure of API keys and internal documentation, highlighting the potential severity of this type of flaw.
CVE-2025-9639 was publicly disclosed on 2025-08-29. The vulnerability's severity is rated HIGH (CVSS 7.5). No public proof-of-concept exploits are currently known, but the ease of exploitation inherent in path traversal vulnerabilities suggests a high probability of exploitation if left unaddressed. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.10% (27% percentile)
CISA SSVC
CVSS Vector
While a patch is pending, immediate mitigation steps can reduce the risk. First, restrict file access permissions for the QbiCRMGateway process to only the necessary files and directories. Implement a Web Application Firewall (WAF) or reverse proxy with rules to block requests containing path traversal attempts (e.g., ../ sequences). Regularly monitor access logs for suspicious file access patterns. Consider implementing input validation and sanitization to prevent malicious path manipulation. After a patched version is released, upgrade QbiCRMGateway immediately. Verify the fix by attempting a path traversal attack after the upgrade and confirming that access is denied.
Actualice QbiCRMGateway a una versión posterior a 8.5.03 que corrija la vulnerabilidad de Path Traversal. Consulte el sitio web del proveedor Ai3 para obtener la última versión y las instrucciones de actualización. Si no hay una versión disponible, contacte al proveedor para obtener un parche.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-9639 is a vulnerability allowing attackers to read arbitrary files on a system running QbiCRMGateway. It's rated HIGH severity and affects versions 7.5.1–8.5.03.
If you are running QbiCRMGateway versions 7.5.1 through 8.5.03, you are potentially affected. Check your version and apply the vendor-provided patch as soon as it's available.
Upgrade to the patched version of QbiCRMGateway as soon as it is released by the vendor. Until then, implement mitigation steps like WAF rules and restricted file access.
While no public exploits are currently known, the ease of exploitation suggests a potential for active exploitation. Monitor your systems closely and apply mitigations.
Refer to the Ai3 website and security advisories page for the official advisory regarding CVE-2025-9639. Check their support channels for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.