CVE-2025-8590: SKSPro Information Disclosure Vulnerability

CVE-2025-8590 Overview

CVE-2025-8590 is an information disclosure vulnerability affecting AKCE Software Technology R&D Industry and Trade Inc.'s SKSPro product. The flaw stems from directory indexing being enabled on the web server, allowing unauthenticated remote attackers to enumerate files and directories that should not be publicly accessible. This exposure of sensitive information to an unauthorized actor is classified under [CWE-200]. The vulnerability affects all SKSPro versions through build 07012026.

Critical Impact
Unauthenticated attackers can browse directory contents over the network to harvest sensitive files, configuration data, and application artifacts that aid further attacks.

Affected Products

AKCE Software Technology R&D Industry and Trade Inc. SKSPro
SKSPro versions through 07012026
Deployments exposing the SKSPro web interface to untrusted networks

Discovery Timeline

2026-02-03 - CVE-2025-8590 published to NVD
2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-8590

Vulnerability Analysis

The vulnerability is a directory indexing misconfiguration in the SKSPro web application. When a client requests a directory path that lacks a default index document, the server responds with an auto-generated listing of every file and subdirectory at that path. Attackers reach the issue over the network without authentication and without user interaction. Confidentiality is impacted, while integrity and availability remain unaffected per the CVSS vector.

Directory indexing exposes resources that developers assumed were hidden by obscurity. Common artifacts revealed include backup files, log files, database dumps, internal documentation, configuration files, and source code fragments. Attackers use this content to map application structure, locate credentials, and identify additional attack surface.

Root Cause

The root cause is an insecure default configuration in the web server hosting SKSPro. The server's directory listing feature was not disabled, and individual directories lack restrictive access controls or default index files. This allows the server to enumerate contents on demand to any HTTP client.

Attack Vector

An attacker sends standard HTTP GET requests to directory paths within the SKSPro application. The server returns an HTML listing of contents, which the attacker parses to identify files of interest. The attacker then downloads exposed files directly using their listed URLs. No credentials, tokens, or prior access are required.

For technical details, refer to the USOM Security Notification TR-26-0011.

Detection Methods for CVE-2025-8590

Indicators of Compromise

HTTP responses from SKSPro hosts containing the Index of / HTML pattern or similar auto-generated directory listings
Repeated GET requests from a single source to multiple directory paths without trailing filenames
Outbound transfers of backup files, archives, or configuration files from SKSPro web roots to external IPs
User-agent strings associated with directory enumeration tools such as dirb, gobuster, or ffuf in web server logs

Detection Strategies

Crawl the SKSPro application from an authorized scanner and flag any path that returns a directory index response
Monitor web server access logs for sequential requests to directory paths returning HTTP 200 with text/html content type
Correlate scanner-like request patterns with download spikes of non-public file extensions such as .bak, .zip, .sql, and .env

Monitoring Recommendations

Forward SKSPro web server access logs to a centralized SIEM for retention and pattern analysis
Alert on directory listing responses originating from production SKSPro hosts
Track external reconnaissance against SKSPro endpoints using web application firewall telemetry

How to Mitigate CVE-2025-8590

Immediate Actions Required

Disable directory indexing on the web server hosting SKSPro at the global or virtual host level
Restrict network access to the SKSPro management interface using firewall rules or VPN gating until a patched build is available
Audit exposed directories for sensitive files and remove or relocate any backups, logs, or credentials found in the web root
Contact AKCE Software Technology R&D Industry and Trade Inc. for a fixed release beyond version 07012026

Patch Information

No vendor patch is referenced in the available advisory data. The issue affects SKSPro through version 07012026. Administrators should monitor the USOM Security Notification TR-26-0011 and AKCE vendor channels for an updated build that disables directory indexing by default.

Workarounds

Add an empty index.html file to each directory served by SKSPro to suppress automatic listings
For Apache deployments, set Options -Indexes in the relevant <Directory> block or .htaccess file
For Nginx deployments, ensure the autoindex off; directive is set within each location block serving SKSPro content
For IIS deployments, disable the Directory Browsing feature for the SKSPro site through IIS Manager or web.config

bash

# Configuration example - disable directory indexing

# Apache (httpd.conf or .htaccess)
<Directory "/var/www/skspro">
    Options -Indexes
    AllowOverride None
    Require all granted
</Directory>

# Nginx (server or location block)
location / {
    autoindex off;
}

# IIS (web.config)
# <configuration>
#   <system.webServer>
#     <directoryBrowse enabled="false" />
#   </system.webServer>
# </configuration>