Unauthenticated Path Traversal Vulnerability in Avid Nexis Agent Software
CVE-2024-26293

8.7HIGH

Key Information:

Vendor: Avid
Status: Avid Nexis E-series; Avid Nexis F-series; Avid Nexis Pro+; System Director Appliance (sda+)
Vendor: CVE Published:; 14 July 2025

What is CVE-2024-26293?

The Avid Nexis Agent is susceptible to an unauthenticated path traversal vulnerability due to an outdated version of gSOAP (v2.8). This vulnerability allows attackers to exploit the software without proper credentials, potentially leading to unauthorized file access. Affected systems include various models of Avid NEXIS storage solutions that have not been updated to version 2025.5.1 or later. It is crucial for users of Avid NEXIS products to apply the necessary updates to mitigate this risk and secure their systems against potential exploitation.

Affected Version(s)

Avid NEXIS E-series Linux 0 < 2025.5.1

Avid NEXIS F-series Linux 0 < 2025.5.1

Avid NEXIS PRO+ Linux 0 < 2025.5.1

References

https://resources.avid.com/SupportFiles/attach/AvidNEXIS/...

vendor-advisory

https://raeph123.github.io/BlogPosts/Avid_Nexis/Advisory_...

third-party-advisorytechnical-description

https://www.genivia.com/changelog.html

third-party-advisory

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 14, 2025
Vulnerability Reserved
Feb 16, 2024

Credit

DriveByte

CERT-Bund