CVE-2024-26293

Vulnerability

Description

The Avid NEXIS Agent, used in NEXIS E-series, F-series, PRO+, and System Director Appliance (SDA+), is built with a vulnerable version (v2.8) of the gSOAP library [1]. An undocumented flaw in this gSOAP version is the root cause of the vulnerability [1]. This allows an attacker to perform an Unauthenticated Path Traversal attack, listed as CVE-2024-26293 [1]. The vulnerability affects all listed products before version 2025.5.1 [1].

Attack

Vector

The Path Traversal vulnerability can be exploited without any authentication [1]. An attacker would send a crafted HTTP request to the Avid NEXIS Agent's exposed gSOAP endpoint. By manipulating file path sequences in the request, the attacker can traverse outside of the intended web root directory. The vulnerability is exploitable on both Linux and Windows platforms [1].

Impact

Successful exploitation allows an unauthenticated attacker to read arbitrary files from the host filesystem [1]. This could lead to the disclosure of sensitive information such as configuration files, credentials, or other proprietary data stored on the NEXIS system.

Mitigation

Avid has released version 2025.5.1 which addresses this vulnerability [1]. Users should upgrade to this patched version as soon as possible. The vendor's advisory indicates that CVE-2024-26293 was included in the patches released at that time [1]. There are no known public workarounds for this specific issue.