CVE-2025-59709EXPLOITED

n/a · n/a

CVE-2025-59709: An issue was discovered in Biztalk360 through 11.5. because of mishandling of user-provided input in a path to be read b

Description

An issue was discovered in Biztalk360 through 11.5. because of mishandling of user-provided input in a path to be read by the server, a Super User attacker is able to read files on the system and/or coerce an authentication from the service, aka Directory Traversal.

Affected Products

Vendor	Product	Versions
n/a	n/a	n/a, 11.0, 11.1, 11.2, 11.3, 11.4

References

https://www.synacktiv.com/en/advisories/remote-code-execution-from-any-domain-account-in-biztalk360

Related News (1 articles)

Tier C

VulDB6h ago

CVE-2025-59709 | Biztalk360 up to 11.5 path traversal

→ No new info (linked only)

CVSS 3.12.7 HIGH

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-22

PublishedApr 3, 2026

Last enriched6h agov2

Trending Score45

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, patch, iocs

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2025-59711EXP

CVE-2025-59711: An issue was discovered in Biztalk360 before 11.5. Because of mishandling of user-provided input in an upload mechanism,

Trending: 56

HIGHCVE-2026-26477

CVE-2026-26477: An issue in Dokuwiki v.2025-05-14b 'Librarian' allows a remote attacker to cause a denial of service via the media_uploa

Trending: 44

CRITICALCVE-2026-28373

CVE-2026-28373: The Stackfield Desktop App before 1.10.2 for macOS and Windows contains a path traversal vulnerability in certain decryp

Trending: 43

CRITICALCVE-2025-59710

CVE-2025-59710: An issue was discovered in Biztalk360 before 11.5. Because of incorrect access control, any user is able to request the

Trending: 29

MEDIUMCVE-2026-30251

CVE-2026-30251: A reflected cross-site scripting (XSS) vulnerability in the login_newpwd.php endpoint of Interzen Consulting S.r.l ZenSh

Trending: 21

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 3, 2026

Discovered by ZDM

Apr 3, 2026

Actively Exploited

Apr 3, 2026

Updated: affectedVersions, severity, cvssEstimate, cweIds, activelyExploited, mitreAttack

Apr 3, 2026

Version History

Last enriched 6h ago

v2Tier C6h ago

Updated product to Biztalk360, added affected versions 11.0 to 11.4, changed severity to HIGH, updated CVSS score to 2.7, added CWE-22, and marked the vulnerability as actively exploited.

affectedVersionsseveritycvssEstimatecweIdsactivelyExploitedmitreAttack

via VulDB

v17h ago

Initial creation