Karl.Fail

Tag: cwe-22

  • CVE-2025-4632: Critical Path Traversal Vulnerability in Samsung MagicINFO 9 Server

    Overview

    On May 13, 2025, Samsung disclosed a critical vulnerability identified as CVE-2025-4632 in its MagicINFO 9 Server product. The issue affects all versions prior to 21.1052 and allows unauthenticated remote attackers to write arbitrary files to the server with system-level privileges. This flaw is a classic example of a Path Traversal vulnerability, categorized under CWE-22.

    What is Path Traversal?

    Path Traversal, also known as Directory Traversal, occurs when an application fails to properly restrict file paths, enabling attackers to manipulate variables referencing files. This can result in unauthorized file access or writing, potentially overwriting sensitive or executable files.

    Technical Details

    The vulnerability is caused by improper limitation of a pathname to a restricted directory. In the case of MagicINFO 9 Server, attackers can exploit this flaw via network access without authentication, sending specially crafted requests that include manipulated path values. If successful, they can upload malicious files, such as web shells, effectively gaining control over the system.

    Severity and CVSS Score

    This issue has been rated CRITICAL under the CVSS v3.1 scoring system, with a base score of 9.8. The vector string is:

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    This score indicates that the attack is possible over a network, requires no user interaction or privileges, and results in a full compromise of confidentiality, integrity, and availability.

    Impact

    According to CAPEC-650, this vulnerability may allow attackers to upload a web shell to the server, providing persistent remote access and the ability to execute arbitrary commands. Given that the server processes these actions as system authority, the impact can be total system compromise.

    Mitigation

    Samsung has released an update in version 21.1052 to patch this vulnerability. All users and administrators of MagicINFO 9 Server should:

    • Immediately upgrade to version 21.1052 or later
    • Audit server logs for suspicious file write operations
    • Implement strict network-level protections to limit exposure

    Conclusion

    CVE-2025-4632 underscores the dangers of insufficient file path validation in enterprise systems. Given the critical nature of this bug and its potential for full system takeover, it is imperative for affected users to update immediately and follow best practices in application hardening.

    For more details, consult the official Samsung security bulletin: SVP-MAY-2025.

  • CVE-2025-27519: Critical Path Traversal Vulnerability in Cognita RAG Framework

    Overview

    On March 7, 2025, a critical vulnerability identified as CVE-2025-27519 was disclosed, affecting the Cognita RAG (Retrieval Augmented Generation) framework developed by TrueFoundry. This vulnerability, categorized under CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), allows attackers to write arbitrary files within the container environment, leading to remote code execution.

    Vulnerability Details

    The vulnerability resides in the /v1/internal/upload-to-local-directory endpoint, which becomes active when the Local environment variable is set to true. This setup is commonly found when Cognita is deployed using Docker. Due to Docker’s default use of uvicorn with auto-reload enabled, overwriting Python source files results in immediate execution of the new code.

    An attacker can exploit this by overwriting critical files such as /app/backend/__init__.py, triggering arbitrary code execution inside the Docker container without any required user interaction or privileges.

    Technical Breakdown

    This vulnerability has been rated Critical with a CVSS v4.0 base score of 9.3. The CVSS vector string is:

    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

    Key characteristics include:

    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Confidentiality, Integrity, Availability Impact: High

    Due to the nature of the exploit, this issue is particularly dangerous in containerized environments where insecure configurations might go unnoticed.

    Understanding CWE-22

    CWE-22 refers to failures in restricting file paths, enabling attackers to access or modify files outside the intended directory scope. In this case, the lack of path validation allows overwriting key application files, which are then executed by the backend server due to auto-reload features.

    Affected Versions and Fix

    This vulnerability affects all versions of Cognita before commit a78bd065e05a1b30a53a3386cc02e08c317d2243. The issue has been addressed in this commit, which introduces proper path validation and mitigates the risk of arbitrary file write and execution.

    Recommendations

    • Update to the patched version containing commit a78bd065e05a1b30a53a3386cc02e08c317d2243.
    • Disable the Local environment variable in production environments.
    • Avoid enabling auto-reload in production deployments.
    • Implement strict path validation in file upload handlers.

    Conclusion

    CVE-2025-27519 highlights the critical risks introduced by insecure file handling in containerized applications. Developers and DevOps teams should review their configurations and apply patches immediately to prevent potential exploitation. For further details, refer to the official GitHub advisory.

  • CVE-2025-26692: Path Traversal Vulnerability in SIOS Quick Agent

    Overview

    CVE-2025-26692 identifies a critical security vulnerability affecting SIOS Quick Agent V2 and V3. Specifically, Quick Agent V3 versions prior to 3.2.1 and Quick Agent V2 versions prior to 2.9.8 are affected. This vulnerability involves improper limitation of a pathname to a restricted directory, commonly known as a Path Traversal issue.

    Technical Details

    The vulnerability is classified under CWE-22: Improper Limitation of a Pathname to a Restricted Directory. Affected versions fail to adequately validate file paths, allowing remote unauthenticated attackers to traverse directories and access files outside the intended root directory. If exploited, this can result in the execution of arbitrary code with Windows system privileges.

    Because the software runs with elevated permissions, successful exploitation could allow complete system compromise, depending on the attacker’s ability to control or manipulate uploaded file paths.

    Severity and CVSS Scores

    This vulnerability has received the following CVSS ratings:

    • CVSS v3.0: 8.1 (High) – CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    • CVSS v4.0: 9.2 (Critical) – CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

    These scores reflect the seriousness of the issue, highlighting its remote exploitability, lack of required user interaction, and the high impact on confidentiality, integrity, and availability.

    Potential Impact

    If left unpatched, this vulnerability could allow attackers to:

    • Read or modify sensitive system files
    • Install and execute malicious programs
    • Fully compromise affected systems

    The risk is elevated due to the lack of authentication needed and the ability to exploit the issue over a network.

    Mitigation

    • Upgrade to: Quick Agent V3 version 3.2.1 or later, and Quick Agent V2 version 2.9.8 or later.
    • Restrict network access: Ensure that only trusted systems can reach the agent endpoints.
    • Monitor system logs: Look for abnormal file access patterns or unexpected file executions.

    References

  • CVE-2025-30387: Critical Path Traversal in Azure AI Document Intelligence Studio

    Overview

    CVE-2025-30387 is a critical vulnerability affecting Microsoft Azure AI Document Intelligence Studio (on-premises). Discovered in versions from 1.0.0 up to (but not including) 1.0.03019.1-official-7241c17a, this flaw allows unauthorized attackers to escalate privileges remotely by exploiting a path traversal weakness.

    What is Path Traversal?

    Path Traversal, categorized under CWE-22, occurs when attackers manipulate file paths in input fields to access files or directories outside the intended scope. This can result in unauthorized access to system files, configuration data, or in this case, elevation of privilege within the affected application.

    Technical Details

    The issue stems from improper validation of user-supplied file paths in the Document Intelligence Studio On-Prem edition. An attacker on the network can exploit this by crafting specially formed paths to escape restricted directories and access sensitive files or execute unauthorized actions.

    This vulnerability has been scored with a CVSS v3.1 base score of 9.8 (Critical) and is described by the following vector:

    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
    • Impact: High for Confidentiality, Integrity, and Availability

    SSVC Assessment

    According to the CISA Stakeholder-Specific Vulnerability Categorization (SSVC):

    • No exploitation has been observed yet
    • The attack is automatable
    • The technical impact is considered total

    While not currently exploited, the vulnerability poses significant risk due to its ease of exploitation and potential for full system compromise.

    Mitigation

    Microsoft has addressed the issue in version 1.0.03019.1-official-7241c17a of Azure AI Document Intelligence Studio. Organizations using earlier versions should:

    • Upgrade to the latest patched release immediately
    • Restrict network access to the affected service
    • Review audit logs for any signs of unusual file access or privilege elevation attempts

    References

    This case underlines the importance of thorough input validation and timely patching, especially in on-prem environments that may be less frequently updated.