Skip to main content

CVE-2025-3365

| EUVDEUVD-2025-17091 CRITICAL
Relative Path Traversal (CWE-23)
2025-06-06 productsecurity@bbraun.com
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 14, 2026 - 18:10 euvd
EUVD-2025-17091
Analysis Generated
Mar 14, 2026 - 18:10 vuln.today
CVE Published
Jun 06, 2025 - 09:15 nvd
CRITICAL 9.8

DescriptionCVE.org

A missing protection against path traversal allows to access any file on the server.

AnalysisAI

Critical path traversal vulnerability (CWE-23) that allows unauthenticated remote attackers to read, write, or delete arbitrary files on affected servers with a CVSS score of 9.8. The vulnerability requires no user interaction, has low attack complexity, and grants complete confidentiality, integrity, and availability impact. Without access to KEV status, EPSS scores, POC details, or specific CPE identifiers from the provided data, this appears to be a severe vulnerability affecting multiple server-side products; confirmation of active exploitation status and patch availability requires cross-referencing official vendor security advisories.

Technical ContextAI

Path traversal (CWE-23) vulnerabilities occur when an application fails to properly sanitize or validate user-supplied file path input, allowing attackers to use directory traversal sequences (e.g., '../', '..\', URL encoding, unicode encoding) to escape intended directory boundaries and access files outside the application's root directory. The missing protection mechanism indicates insufficient input validation and/or output encoding on file system operations. This commonly affects web applications, APIs, file upload handlers, and any service that constructs file paths from user input without proper canonicalization or whitelist validation. The network-based attack vector (AV:N) suggests this is likely a web-accessible service or API endpoint, while AC:L (low complexity) indicates standard path traversal payloads suffice without race conditions or other timing dependencies.

RemediationAI

Without explicit patch version data from vendor advisories, general mitigation steps include: (1) IMMEDIATE: disable or restrict network access to affected services via firewall rules if patch is unavailable; (2) apply vendor-released security patches immediately upon availability (monitor vendor security pages and mailing lists); (3) implement input validation: use whitelist-based path validation, reject requests containing '../', '..\', and encoded variants; (4) canonicalize file paths before access (resolve to absolute paths and verify against allowed directory); (5) run services with least-privilege file system permissions; (6) use security modules (ModSecurity, OWASP CRS) to block path traversal patterns; (7) enable detailed audit logging of file access attempts. Consult vendor security advisories at vendor-security-page.com or CISA alerts for specific patch URLs and deployment guidance.

Share

CVE-2025-3365 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy