CVE-2025-60949 — AI Deep Analysis Summary

🚨 **Essence**: CSWeb v8.0.1 exposes `app/config` via HTTP. 📉 **Consequences**: Unauthenticated attackers can steal sensitive keys & config data. 💥 **Impact**: High confidentiality & integrity loss (CVSS H/H).

🛡️ **Root Cause**: CWE-200 (Information Exposure). 🔍 **Flaw**: Misconfiguration allowing direct HTTP access to sensitive config files without authentication.

🏢 **Vendor**: CSPro Users (Census). 📦 **Product**: CSWeb. 📅 **Affected**: Version **8.0.1** specifically. ⚠️ **Scope**: Deployments exposing `app/config`.

🕵️ **Action**: Send HTTP requests to `/app/config`. 🔑 **Gain**: Extract leaked API keys & secrets. 🚫 **Limit**: No direct RCE mentioned, but key theft enables further attacks.

🔓 **Auth**: None required (PR:N). 🌐 **Network**: Remote (AV:N). 🎯 **Complexity**: Low (AC:L). 💡 **Verdict**: Extremely easy to exploit. No UI interaction needed.

📂 **Exploit**: Yes. GitHub repo `hx381/cspro-exploits` exists. 🔗 **Commit**: Fix available at `eba0b59...`. ⚠️ **Status**: Publicly accessible PoC/Exploit code.

🔍 **Check**: Scan for HTTP access to `/app/config`. 📡 **Tool**: Use Nmap or custom scripts to probe the endpoint. 🚩 **Signal**: Look for JSON/XML config responses without auth prompts.

🛠️ **Fix**: Official patch committed. 🔗 **Link**: GitHub commit `eba0b59a243390a1a4f9524cce6dbc0314bf0d91`. ✅ **Action**: Update to patched version immediately.

🚧 **Workaround**: Block external access to `/app/config` via WAF/Nginx. 🔒 **Restrict**: Ensure config files are not served over plain HTTP. 🛑 **Isolate**: Restrict network access to internal only.

🔥 **Priority**: CRITICAL. 📅 **Date**: Published 2026-03-23. 🚨 **Reason**: Low barrier to entry + High impact (Key Leakage). ⚡ **Advice**: Patch NOW. Do not wait.