CVE-2025-34320

UNKNOWN 0.0

BASIS BBj < 25.00 Unauthenticated Arbitrary File Read RCE

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

BASIS BBj versions prior to 25.00 contain a Jetty-served web endpoint that fails to properly validate or canonicalize input path segments. This allows unauthenticated directory traversal sequences to cause the server to read arbitrary system files accessible to the account running the service. Retrieved configuration artifacts may contain account credentials used for BBj Enterprise Manager; possession of these credentials enables administrative access and use of legitimate management functionality that can result in execution of system commands under the service account. Depending on the operating system and the privileges of the BBj service account, this issue may also allow access to other sensitive files on the host, including operating system or application data, potentially exposing additional confidential information.

CWE	CWE-22
Vendor	basis international ltd.
Product	basis bbj
Published	Nov 20, 2025
Last Updated	Feb 18, 2026

Stay Ahead of the Next One

Get instant alerts for basis international ltd. basis bbj

Be the first to know when new unknown vulnerabilities affecting basis international ltd. basis bbj are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

BASIS International Ltd. / BASIS BBj

0 < 25.00

References

NVD ↗ CVE.org ↗ EPSS Data ↗

myemail.constantcontact.com: https://myemail.constantcontact.com/BASIS-International-Ltd--releases-BBj---the-Barista--Application-Framework--and-AddonSoftware--by-Barista-version-25-00.html?soid=1103463119019&aid=WbfWkReLRVE vulncheck.com: https://www.vulncheck.com/advisories/basis-bbj-unauthenticated-arbitrary-file-read-rce

Credits

Victor A. Morales, Senior Pentester Team Leader, GM Sectec, Corp. Omar Crespo, Pentester, GM Sectec, Corp.