CVE-2025-31635

| EUVD-2025-17503 HIGH
2025-06-09 [email protected]
7.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 14, 2026 - 19:21 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 19:21 euvd
EUVD-2025-17503
CVE Published
Jun 09, 2025 - 16:15 nvd
HIGH 7.5

Tags

Path Traversal

Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in LambertGroup CLEVER allows Path Traversal. This issue affects CLEVER: from n/a through 2.6.

Analysis

Path traversal vulnerability in LambertGroup CLEVER versions up to 2.6 that allows unauthenticated remote attackers to read arbitrary files from the affected system with high confidentiality impact. The vulnerability requires no user interaction and can be exploited over the network, making it a critical exposure for organizations running vulnerable CLEVER instances. While CVSS 7.5 indicates significant risk, actual exploitation depends on KEV listing status and public POC availability, which should be verified against current threat intelligence feeds.

Technical Context

This vulnerability exploits improper input validation in pathname handling (CWE-22: Improper Limitation of a Pathname to a Restricted Directory). The affected product, LambertGroup CLEVER (CPE: likely cpe:2.3:a:lambertgroup:clever), fails to properly sanitize file path parameters, allowing attackers to use directory traversal sequences (e.g., '../../../') to access files outside the intended restricted directory. This is a classic path traversal flaw where user-supplied input is concatenated directly into file operations without normalization or validation. The vulnerability affects CLEVER versions from an unspecified baseline through version 2.6, suggesting the flaw has existed for multiple release cycles.

Affected Products

LambertGroup CLEVER: versions 2.6 and earlier (exact baseline version not specified in advisory). CPE string components: cpe:2.3:a:lambertgroup:clever:*:*:*:*:*:*:*:* (versions <=2.6). No specific configuration restrictions mentioned, implying all standard deployments are vulnerable. Administrators should verify their CLEVER version immediately and check vendor advisories for patch availability timelines and version progression.

Remediation

Immediate actions: (1) Upgrade CLEVER to version 2.7 or later once released/validated by LambertGroup; (2) Until patches are available, implement network-level controls to restrict access to CLEVER services (WAF rules, IP whitelisting, VPN gating); (3) Disable or restrict file-serving endpoints if not required; (4) Review access logs for suspicious '../' sequences or unusual file access patterns; (5) Monitor file system changes on systems hosting CLEVER. Consult LambertGroup's official security advisory for specific patch links, rollout timelines, and any interim mitigations. If no patch exists yet, consider architectural isolation of CLEVER instances until remediation is available.

Priority Score

38
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +38
POC: 0

Share

CVE-2025-31635 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy