Description

The update mechanism in Automai Director improperly validates or restricts update sources and content, allowing an attacker to inject and execute arbitrary system commands during the update process.

Details

• Product: Automai Director
• Affected Versions: < 25.2.0
• Vulnerability Type: CWE-434: Unrestricted Upload of File with Dangerous Type
• Risk Level: Critical - CVSS 3.1: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
• Authentication: Required
• Vendor URL:
• Vendor acknowledged vulnerability: Yes
• Vendor Status: Fixed
• CVE: CVE-2025-46068

Impact

A successful exploit enables attackers to run arbitrary commands potentially leading to full system compromise, data manipulation, or deployment of persistent malware.​

References

• National Vulnerability Database CVE-2025-46068

Timeline

• 2025-04: Vulnerability reported to the vendor.
• 2025-05: Vendor published a fix for the issue.
• 2026-01: Information about the vulnerability is published.

Credits

• Bastian Recktenwald (Bastian.Recktenwald@ZeroBreach.de)