Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
6DescriptionCVE.org
Absolute path disclosure vulnerability in DM Corporative CMS. This vulnerability allows an attacker to view the contents of webroot/file, if navigating to a non-existent file.
AnalysisAI
CVE-2025-40662 is an absolute path disclosure vulnerability in DM Corporative CMS that exposes sensitive filesystem information when an attacker requests non-existent files within the webroot/file directory. This high-severity information disclosure (CVSS 7.5) affects DM Corporative CMS users and allows unauthenticated remote attackers to enumerate and discover the absolute filesystem paths of the application, which typically precedes further exploitation. The vulnerability has not been confirmed as actively exploited in the wild (KEV status unknown from provided data), but represents a significant reconnaissance vector with minimal attack complexity.
Technical ContextAI
This vulnerability is rooted in CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), a common weakness in error handling and information disclosure. The underlying issue occurs in DM Corporative CMS's file handling mechanism within the webroot/file directory. When the application receives requests for non-existent files, it likely returns unfiltered error messages containing absolute filesystem paths (e.g., /var/www/html/webroot/file/nonexistent.txt), rather than generic error responses. This path disclosure occurs at the web application layer where error pages are rendered without sanitization. The vulnerability affects web-accessible file operations and suggests inadequate input validation or error suppression in the file request handler. The network-based attack vector (AV:N) indicates the flaw is exploitable remotely without any special access, and the lack of authentication requirement (PR:N) makes this particularly dangerous for reconnaissance.
RemediationAI
- Patching: Apply the latest security patch from DM Corporative immediately once released. Monitor vendor security advisories for CVE-2025-40662-specific patches. 2) Error Suppression: Configure the application to return generic HTTP 404 error pages without revealing absolute paths in error messages or server headers. 3) Access Control: Restrict access to the webroot/file directory at the web server level (nginx/Apache) to authenticated users only if possible. 4) Web Application Firewall (WAF): Deploy rules to detect and block requests to non-existent files in /file/ paths and scrub absolute paths from responses. 5) Monitoring: Enable logging of file requests to detect reconnaissance activity targeting the /file/ directory. 6) Workaround: If patching is delayed, implement a reverse proxy or WAF rule that strips filesystem path information from HTTP responses before reaching clients. Consult DM Corporative's official security advisory (to be released) for version-specific patch URLs and timelines.
More in Dm Corporative Cms
View allCritical unauthenticated SQL injection vulnerability in DM Corporative CMS affecting the /modules/forms/collectform.asp
Critical SQL injection vulnerability in DM Corporative CMS that allows unauthenticated remote attackers to execute arbit
Critical SQL injection vulnerability in DM Corporative CMS affecting the /antcatalogue.asp endpoint's 'name' parameter,
A critical SQL injection vulnerability (CVE-2025-40654) exists in DM Corporative CMS affecting the /antbuspre.asp endpoi
CVE-2025-40661 is an Insecure Direct Object Reference (IDOR) vulnerability in DM Corporative CMS that allows unauthentic
CVE-2025-40660 is a security vulnerability (CVSS 7.5) that allows an attacker. High severity vulnerability requiring pro
CVE-2025-40659 is an Insecure Direct Object Reference (IDOR) vulnerability in DM Corporative CMS that allows unauthentic
CVE-2025-40658 is an Insecure Direct Object Reference (IDOR) vulnerability in DM Corporative CMS that allows unauthentic
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-17647