Is there a public PoC exploit available for CVE-2018-25164?

Yes, a public proof-of-concept exploit is available for CVE-2018-25164. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2018-25164?

Within 24 hours: Identify all systems running EverSync 0.5 and isolate them from production networks if possible; enable logging on file access attempts. Within 7 days: Implement Web Application Firewall (WAF) rules to block direct file directory requests; restrict network access to EverSync to known trusted IPs only; conduct forensic audit for unauthorized file downloads. Within 30 days: Migrate to alternative solution or upgrade to patched version when available; perform full data breach assessment and notify stakeholders if sensitive data was accessed.

CVE-2018-25164

Q: What is the CVSS score of CVE-2018-25164?

CVE-2018-25164 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

HIGH

Files or Directories Accessible to External Parties (CWE-552)

2026-03-06 disclosure@vulncheck.com

Path Traversal Information Disclosure

8.7

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

8.7 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 15, 2026 - 15:22 NVD

7.5 (HIGH) 8.7 (HIGH)

Analysis Generated

Mar 12, 2026 - 22:06 vuln.today

PoC Detected

Mar 09, 2026 - 13:35 vuln.today

Public exploit code

CVE Published

Mar 06, 2026 - 13:15 nvd

HIGH 7.5

DescriptionCVE.org

EverSync 0.5 contains an arbitrary file download vulnerability that allows unauthenticated attackers to access sensitive files by requesting them directly from the files directory. Attackers can send GET requests to the files directory to download database files like db.sq3 containing application data and credentials.

AnalysisAI

EverSync 0.5 contains an arbitrary file download vulnerability that allows unauthenticated attackers to access sensitive files by requesting them directly from the files directory. [CVSS 7.5 HIGH]

Technical ContextAI

Classified as CWE-552 (Files or Directories Accessible to External Parties). EverSync 0.5 contains an arbitrary file download vulnerability that allows unauthenticated attackers to access sensitive files by requesting them directly from the files directory. Attackers can send GET requests to the files directory to download database files like db.sq3 containing application data and credentials.

Affected ProductsAI

EverSync 0.5 contains an arbitrary file download vulnerability that allows unauthenticated attackers to access sensitive files by requesting them dire

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

CVE-2018-25164 vulnerability details – vuln.today

Back