Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability was determined in Industrial Application Software IAS Canias ERP 8.03. This vulnerability affects the function iasRequestFileEvent of the component RMI Interface. This manipulation of the argument m_strSourceFileName causes path traversal. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Remote path traversal in Industrial Application Software IAS Canias ERP 8.03 allows unauthenticated network attackers to read arbitrary files by manipulating the m_strSourceFileName argument in the iasRequestFileEvent function of the RMI Interface. The vulnerability has been publicly disclosed with proof-of-concept code available, and the vendor has not responded to early disclosure notification.
Technical ContextAI
Canias ERP 8.03 exposes an RMI (Remote Method Invocation) Interface component that processes file requests through the iasRequestFileEvent function. This function fails to properly validate or sanitize the m_strSourceFileName parameter, allowing attackers to inject path traversal sequences (such as ../ or absolute paths) to access files outside the intended directory structure. The root cause is improper input validation of file path arguments (CWE-22: Improper Limitation of a Pathname to a Restricted Directory), a classic vulnerability class affecting file-serving operations in enterprise applications.
RemediationAI
Immediate patching is the primary remediation: contact IAS vendor directly to obtain a security update for Canias ERP 8.03 that properly validates the m_strSourceFileName parameter. If a vendor patch is unavailable or delayed due to non-responsiveness, implement the following compensating controls: restrict network access to the RMI Interface by deploying firewall rules to limit connections only to trusted hosts or subnets; disable or isolate the RMI Interface service if not operationally required; implement file system access controls to limit the scope of files readable by the Canias ERP application process (principle of least privilege); and monitor RMI interface logs for suspicious file path requests containing traversal sequences (../, absolute paths, or encoded variants). These controls reduce exploitability but do not eliminate the underlying vulnerability and should be treated as temporary measures pending vendor remediation.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28951
GHSA-wgqr-wc5c-5vpp