Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel HTTP API allows an unauthenticated remote attacker to perform a path traversal attack. By supplying a maliciously crafted fileName parameter during a file upload operation, an attacker can bypass intended storage boundaries and write arbitrary files to any location on the host filesystem accessible by the Java process. This can lead to Remote Code Execution (RCE) and complete system compromise.
AnalysisAI
Remote code execution in Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10 allows unauthenticated remote attackers to write arbitrary files anywhere on the host filesystem via path traversal in the Submodel HTTP API's file upload fileName parameter, leading to complete system compromise. The vulnerability receives the maximum CVSS score of 10.0 due to network-accessible exploitation requiring no authentication, privileges, or user interaction, with scope change enabling impact beyond the vulnerable component. EPSS data not available; KEV status not confirmed; exploitation status depends on release recency and deployment exposure of this industrial automation SDK.
Technical ContextAI
Eclipse BaSyx is a Java-based open-source implementation of the Asset Administration Shell (AAS) framework for Industry 4.0 and Industrial IoT applications. The vulnerability resides in the Submodel HTTP API component responsible for handling file upload operations. The root cause is inadequate path normalization (CWE-22: Improper Limitation of a Pathname to a Restricted Directory), where user-supplied fileName parameters are not properly validated or sanitized before being used in filesystem operations. Attackers can inject directory traversal sequences (e.g., '../../../') to escape the intended upload directory. Because the Java process typically runs with application-level permissions, successful exploitation grants filesystem write access to any location writable by that process, including application directories, configuration files, web roots, or system startup locations depending on deployment architecture.
RemediationAI
Upgrade immediately to Eclipse BaSyx Java Server SDK version 2.0.0-milestone-10 or later, which contains fixes for inadequate path normalization in the Submodel HTTP API per vendor advisory at https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423. Until patching is completed, implement these compensating controls with noted trade-offs: (1) Disable or restrict network access to the Submodel HTTP API file upload endpoints using firewall rules or reverse proxy ACLs limiting access to trusted IP ranges only - reduces exposure but breaks legitimate remote file upload functionality for external clients; (2) Deploy the Java Server SDK in containerized environments with read-only root filesystems and minimal writable volumes, limiting blast radius of arbitrary file writes - adds operational complexity and may require application reconfiguration for legitimate file storage locations; (3) Run the Java process with minimally-privileged dedicated service accounts in isolated filesystem namespaces (chroot/containers) preventing writes to critical system paths - effective mitigation but requires infrastructure changes and testing to ensure application functionality. None of these workarounds fully eliminate the vulnerability; upgrading to the patched version remains the only complete remediation. Organizations unable to upgrade immediately should combine multiple compensating controls and implement enhanced monitoring for unexpected filesystem modifications.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-22 – Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27384
GHSA-8gpm-h2mh-36qc