关键信息 CVE ID CVE-2025-65843 漏洞概述 标题: Aquarius Desktop Insecure File Handling via Symlink Dereference in Support Archive Generation 受影响产品: Aquarius Desktop for macOS 3.0.069 受影响组件: Support archive generation ( ) with having and includes in the support archive. 漏洞类型: Directory Traversal / Insecure File Handling 攻击类型: Local 影响: Information Disclosure, Arbitrary File Inclusion, Privilege Escalation (when chained with CVE-2025-65842) 漏洞细节 概述: The application follows symbolic links inside the log directory ( ) during support archive generation, leading to unauthorized disclosure of sensitive files. This vulnerability can be exploited for information exfiltration or privilege escalation. 处理建议 禁用符号链接跟随: Use 路径验证: Validate file paths before adding them to the ZIP archive, ensuring they are within the intended directory. 输入验证: Reject symlinks, hardlinks, device nodes, and paths that escape the intended directory. 内容验证: Perform stringent content validation of the ZIP file. 公布时间线 2025-08-02: Vulnerability discovered 2025-08-03 - 08-05: Initial technical validation and PoC developed 2025-08-07: Full vulnerability report generated and submitted 2025-08-19: Responsible disclosure initiated with vendor 2025-08-23: Follow-up sent due to no response 2025-11-13: Escalation to MITRE CVE Program 2025-11-19: Public disclosure initiated (90-day window expired) 2025-11-28: CVE ID assigned by CNA