CVE-2025-65843: Aquarius Desktop Symlink Dereference Info Disclosure

Key Information CVE ID CVE-2025-65843 Vulnerability Overview Title: Aquarius Desktop Insecure File Handling via Symlink Dereference in Support Archive Generation Affected Product: Aquarius Desktop for macOS 3.0.069 Affected Component: Support archive generation ( ) using with , which includes in the support archive. Vulnerability Type: Directory Traversal / Insecure File Handling Attack Type: Local Impact: Information Disclosure, Arbitrary File Inclusion, Privilege Escalation (when chained with CVE-2025-65842) Vulnerability Details Summary: The application follows symbolic links within the log directory ( ) during support archive generation, resulting in unauthorized disclosure of sensitive files. This vulnerability can be exploited for information exfiltration or privilege escalation. Mitigation Recommendations Disable Symlink Following: Use Path Validation: Validate file paths before adding them to the ZIP archive, ensuring they remain within the intended directory. Input Validation: Reject symlinks, hardlinks, device nodes, and paths that escape the intended directory. Content Validation: Perform strict content validation of the ZIP file. Disclosure Timeline 2025-08-02: Vulnerability discovered 2025-08-03 - 08-05: Initial technical validation and PoC developed 2025-08-07: Full vulnerability report generated and submitted 2025-08-19: Responsible disclosure initiated with vendor 2025-08-23: Follow-up sent due to no response 2025-11-13: Escalation to MITRE CVE Program 2025-11-19: Public disclosure initiated (90-day window expired) 2025-11-28: CVE ID assigned by CNA

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2025-65843: Aquarius Desktop Symlink Dereference Info Disclosure