Critical severity9.8NVD Advisory· Published May 8, 2026· Updated May 11, 2026

CVE-2025-69599

Description

RayVentory Scan Engine through 12.6 Update 8 allows attackers to gain privileges if they control the value of the PATH environment variable. NOTE: this is disputed because ability of an attacker to control the environment is a site-specific misconfiguration.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

RayVentory Scan Engine 12.6 Update 8 uses relative paths for binary/so calls, letting attackers with PATH control escalate privileges.

Vulnerability

Overview

The RayVentory Scan Engine, through version 12.6 Update 8, contains an uncontrolled search path element vulnerability (CWE-427). The application loads shared objects (such as libnetselector.so and libuploader.so) and executes system binaries (including curl, cat, and sh) using relative paths rather than absolute paths. This design flaw, triggered via the rvia or the underlyingndtrack binary, allows an attacker who can modify the PATH` environment variable to substitute malicious binaries or shared objects for the expected ones.[1]

Exploitation

An attacker with control over the user's environment (e.g., for instance by setting the PATH variable to include a writeable directory like /tmp before the legitimate directories, can place a crafted binary or shared object with the same name as one the application expects. Whenrvia orndtrack invokes the command by relative name, the malicious version is executed instead. For example, a custom curl binary can be placed in /tmp; after prepending /tmp to the PATH, running /opt/rvia/rvia getconfig then executes the attacker's curl. Similarly, a malicious libnetselector.so placed in the search path can trigger arbitrary code whenndtrack loads it.[1]

Impact

Successful exploitation allows an unauthenticated attacker to execute arbitrary code in the context of the application process. This can lead to privilege escalation, data exfiltration of scanned system information, and potential compromise of the infrastructure managed by the RayVentory Scan Engine. The CVSS v3 score of 9.8 reflects the critical nature of remote code execution without authentication, though the attack requires only PATH control of environment variables (a configuration often achievable by a local attacker or through other application flaws).[1]

Mitigation

Status

The vendor's advisory (RSEC200965) is referenced, but the note mentions vendor dispute, arguing that an attacker's ability to control environment variables is a site-specific misconfiguration. As of the publication date (2026-05-08), no official patch has been confirmed, but organizations should ensure strict control over the environment variables used by the scan engine, avoid running it with elevated privileges, and use absolute paths if possible. The CVE has not been listed in CISA's Known Exploited Vulnerabilities catalog at the time of writing.[1]

References

GitHub - Wise-Security/CVE-2025-69599

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

McAfee/Scan Enginellm-fuzzy
Range: <=12.6 Update 8

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

support.raynet.de/hc/en-us/articles/19518792826132-RVY200865-RayVentory-12-6nvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000