CVE-2025-14693
Symlink Following Vulnerability in Ugreen DH2100+ USB Handler
Publication date: 2025-12-15
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ugreen | dh2100+ | 5.3.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-61 | The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files. |
| CWE-59 | The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-14693 is a vulnerability in Ugreen DH2100+ devices up to firmware version 5.3.0 involving improper handling of symbolic links on external USB devices. An attacker with physical access can create symbolic links on a USB device that point to arbitrary files on the NAS system. When the USB device is connected, the NAS follows these symbolic links, allowing unauthorized access to or modification of files. This is due to insufficient validation of symbolic links in the USB Handler component, leading to incorrect access control. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure and modification of files on the affected NAS device, compromising the confidentiality and integrity of the system's data. An attacker can leak sensitive information or alter critical files by exploiting symbolic links on a USB device. The attack requires physical access but is considered easy to execute, potentially impacting system availability as well. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability requires physical access to the Ugreen DH2100+ device and involves symbolic links on external USB devices connected to the NAS. Detection involves inspecting connected USB devices for suspicious symbolic links that point to arbitrary files on the NAS. Since the vulnerability exploits symlink following on USB devices, you can check for symbolic links on USB storage by mounting the USB device and running commands like 'find /mnt/usb -type l -ls' to list symbolic links and verify their targets. Additionally, monitoring file access logs on the NAS for unexpected file modifications or accesses triggered by USB insertion may help detect exploitation attempts. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include preventing the connection of untrusted USB devices to the Ugreen DH2100+ device to avoid exploitation via crafted symbolic links. Since no vendor response or patches are available, consider disabling USB ports if possible or restricting physical access to the device. If feasible, replace the affected product with an alternative device not vulnerable to this issue. Monitoring for suspicious activity related to USB device connections is also recommended. [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized access to and modification of arbitrary files on the affected NAS device, compromising confidentiality and integrity of data. Such unauthorized data access and modification could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls to protect sensitive information. However, no explicit mention of compliance impact is provided in the resources. [1, 3]