CVE-2025-41714
BaseFortify
Publication date: 2025-09-10
Last updated on: 2025-09-11
Assigner: CERT VDE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| welotec | smartems | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs because the upload endpoint does not properly validate the 'Upload-Key' request header. An authenticated attacker can use path traversal sequences in this header to make the server create upload-related files outside the intended storage area. Depending on the server configuration, this can allow arbitrary file writes and potentially enable remote code execution.
How can this vulnerability impact me? :
The vulnerability can lead to severe impacts including unauthorized file creation outside designated directories, arbitrary file writes, and potentially remote code execution. This means an attacker could manipulate files on the server or execute malicious code, compromising the system's confidentiality, integrity, and availability.