Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in LambertGroup CLEVER allows Path Traversal. This issue affects CLEVER: from n/a through 2.6.
AnalysisAI
Path traversal vulnerability in LambertGroup CLEVER versions up to 2.6 that allows unauthenticated remote attackers to read arbitrary files from the affected system with high confidentiality impact. The vulnerability requires no user interaction and can be exploited over the network, making it a critical exposure for organizations running vulnerable CLEVER instances. While CVSS 7.5 indicates significant risk, actual exploitation depends on KEV listing status and public POC availability, which should be verified against current threat intelligence feeds.
Technical ContextAI
This vulnerability exploits improper input validation in pathname handling (CWE-22: Improper Limitation of a Pathname to a Restricted Directory). The affected product, LambertGroup CLEVER (CPE: likely cpe:2.3:a:lambertgroup:clever), fails to properly sanitize file path parameters, allowing attackers to use directory traversal sequences (e.g., '../../../') to access files outside the intended restricted directory. This is a classic path traversal flaw where user-supplied input is concatenated directly into file operations without normalization or validation. The vulnerability affects CLEVER versions from an unspecified baseline through version 2.6, suggesting the flaw has existed for multiple release cycles.
RemediationAI
Immediate actions: (1) Upgrade CLEVER to version 2.7 or later once released/validated by LambertGroup; (2) Until patches are available, implement network-level controls to restrict access to CLEVER services (WAF rules, IP whitelisting, VPN gating); (3) Disable or restrict file-serving endpoints if not required; (4) Review access logs for suspicious '../' sequences or unusual file access patterns; (5) Monitor file system changes on systems hosting CLEVER. Consult LambertGroup's official security advisory for specific patch links, rollout timelines, and any interim mitigations. If no patch exists yet, consider architectural isolation of CLEVER instances until remediation is available.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-17503