CVE-2025-14693
Unknown Unknown - Not Provided
Symlink Following Vulnerability in Ugreen DH2100+ USB Handler

Publication date: 2025-12-15

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in Ugreen DH2100+ up to 5.3.0. This affects an unknown function of the component USB Handler. Such manipulation leads to symlink following. The attack can be executed directly on the physical device. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-15
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-15
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14693
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ugreen dh2100+ 5.3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-61 The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-14693 is a vulnerability in Ugreen DH2100+ devices up to firmware version 5.3.0 involving improper handling of symbolic links on external USB devices. An attacker with physical access can create symbolic links on a USB device that point to arbitrary files on the NAS system. When the USB device is connected, the NAS follows these symbolic links, allowing unauthorized access to or modification of files. This is due to insufficient validation of symbolic links in the USB Handler component, leading to incorrect access control. [1, 2, 3]

Impact Analysis

This vulnerability can lead to unauthorized disclosure and modification of files on the affected NAS device, compromising the confidentiality and integrity of the system's data. An attacker can leak sensitive information or alter critical files by exploiting symbolic links on a USB device. The attack requires physical access but is considered easy to execute, potentially impacting system availability as well. [1, 2, 3]

Detection Guidance

This vulnerability requires physical access to the Ugreen DH2100+ device and involves symbolic links on external USB devices connected to the NAS. Detection involves inspecting connected USB devices for suspicious symbolic links that point to arbitrary files on the NAS. Since the vulnerability exploits symlink following on USB devices, you can check for symbolic links on USB storage by mounting the USB device and running commands like 'find /mnt/usb -type l -ls' to list symbolic links and verify their targets. Additionally, monitoring file access logs on the NAS for unexpected file modifications or accesses triggered by USB insertion may help detect exploitation attempts. [1, 3]

Mitigation Strategies

Immediate mitigation steps include preventing the connection of untrusted USB devices to the Ugreen DH2100+ device to avoid exploitation via crafted symbolic links. Since no vendor response or patches are available, consider disabling USB ports if possible or restricting physical access to the device. If feasible, replace the affected product with an alternative device not vulnerable to this issue. Monitoring for suspicious activity related to USB device connections is also recommended. [2]

Compliance Impact

The vulnerability allows unauthorized access to and modification of arbitrary files on the affected NAS device, compromising confidentiality and integrity of data. Such unauthorized data access and modification could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls to protect sensitive information. However, no explicit mention of compliance impact is provided in the resources. [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14693. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart