How to fix CVE-2018-25164?

Within 24 hours: Identify all systems running EverSync 0.5 and isolate them from production networks if possible; enable logging on file access attempts. Within 7 days: Implement Web Application Firewall (WAF) rules to block direct file directory requests; restrict network access to EverSync to known trusted IPs only; conduct forensic audit for unauthorized file downloads. Within 30 days: Migrate to alternative solution or upgrade to patched version when available; perform full data breach assessment and notify stakeholders if sensitive data was accessed.

CVE-2018-25164

HIGH

2026-03-06 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:06 vuln.today

PoC Detected

Mar 09, 2026 - 13:35 vuln.today

Public exploit code

CVE Published

Mar 06, 2026 - 13:15 nvd

HIGH 7.5

Description

EverSync 0.5 contains an arbitrary file download vulnerability that allows unauthenticated attackers to access sensitive files by requesting them directly from the files directory. Attackers can send GET requests to the files directory to download database files like db.sq3 containing application data and credentials.

Analysis

EverSync 0.5 contains an arbitrary file download vulnerability that allows unauthenticated attackers to access sensitive files by requesting them directly from the files directory. [CVSS 7.5 HIGH]

Technical Context

Classified as CWE-552 (Files or Directories Accessible to External Parties). EverSync 0.5 contains an arbitrary file download vulnerability that allows unauthenticated attackers to access sensitive files by requesting them directly from the files directory. Attackers can send GET requests to the files directory to download database files like db.sq3 containing application data and credentials.

Affected Products

EverSync 0.5 contains an arbitrary file download vulnerability that allows unauthenticated attackers to access sensitive files by requesting them dire

Remediation

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +38

POC: +20

CVE-2018-25164 vulnerability details – vuln.today

Back

CVE-2018-25164

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2018-25164

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code