Contents

Two Critical Vulnerabilities Discovered by Grant Thornton Armenia's Cybersecurity Experts Earn Global Recognition

At Grant Thornton Armenia, our commitment to advancing cybersecurity doesn't stop at client services — it drives us to contribute to the broader global security landscape. In late 2023, our cybersecurity team identified and responsibly disclosed two critical vulnerabilities in widely used software products, demonstrating not only technical excellence but also dedication to responsible research and disclosure.

Discovery 1: Path Traversal Vulnerability in ONLYOFFICE Document Server (CVE-2023-46988)

In October 2023, Anton Simonyan and Vahagn Abazyan discovered a path traversal vulnerability in the ONLYOFFICE Document Server, an open-source document collaboration platform used by thousands of organizations globally. This vulnerability, now listed as CVE-2023-46988, allowed potential attackers to access sensitive system files and crash the server — a serious risk for any enterprise using the platform.

The vulnerability was reported through official channels, though acknowledgment and patching took several months. A fix was eventually released in February 2024, with some affected products receiving updates later. Full technical write-up

Discovery 2: Insecure Direct Object Reference in OZForensics Face Recognition Application (CVE-2025-32367)

The second major discovery occurred in November 2023, when the same team identified an IDOR (Insecure Direct Object Reference) vulnerability in OZForensics, a biometric identity verification solution. The vulnerability, now documented as CVE-2025-32367, allowed unauthorized access to all personal client files uploaded during authentication — posing a significant privacy and data protection concern.

Grant Thornton Armenia’s cybersecurity experts responsibly reported the issue to OZForensics. A fix was issued by the end of 2023, strengthening the security of the platform for all users. Full technical write-up

Recognition by MITRE and the Global Cybersecurity Community

Both vulnerabilities have been submitted and acknowledged through the CVE Program, a global initiative managed by the MITRE Corporation — a U.S.-based nonprofit organization that supports the government in areas such as cybersecurity, defense, and intelligence. Sponsored by the Cybersecurity and Infrastructure Security Agency (CISA), the CVE Program defines and catalogs publicly disclosed cybersecurity vulnerabilities, serving as the global standard in this domain.

Official listings of these vulnerabilities are hosted in the National Vulnerability Database (NVD), maintained by the National Institute of Standards and Technology (NIST), reinforcing the importance and credibility of these discoveries within the global cybersecurity community.

The People Behind the Discovery

These achievements would not have been possible without the hard work and expertise of Anton Simonyan, Vahagn Abazyan, and Sofiya Gasparyan — members of our dedicated Cybersecurity, Risk and Technology Services team. Their collaboration, persistence, and commitment to ethical research exemplify the values we stand for at Grant Thornton Armenia.

We are proud of their contribution to a safer digital world and remain committed to supporting organizations through proactive cybersecurity services, including penetration testing, vulnerability assessment, compliance advisory, and more.

Cybersecurity is not just a service — it's a responsibility. At Grant Thornton Armenia, we’re here to help you stay secure.