VDE-2025-085

Vulnerability from csaf_welotecgmbh - Published: 2025-09-10 07:00 - Updated: 2025-09-22 08:00
Summary
Welotec: Path Traversal in SmartEMS Upload Handling
Severity
High
Notes
Summary: A path traversal flaw in the SmartEMS upload handling allows authenticated users to direct upload data outside of the intended directory via the 'Upload-Key' header. In deployments where writable, code-interpreted paths are reachable, this may lead to remote code execution.
Impact: An authenticated attacker with network access to the SmartEMS Web UI can write outside the intended upload directory, overwrite or place files in sensitive locations, escalate to remote code execution depending on filesystem permissions and execution context, and access or modify sensitive data.
Mitigation: Restrict access to the SmartEMS Web UI to trusted admin networks or VPN. Enforce strong credentials and rotate or revoke active tokens/sessions.
Remediation: Update SmartEMS to version 3.3.6 which fixes the issue.
CVE-2025-41714

The upload endpoint insufficiently validates the 'Upload-Key' request header. By supplying path traversal sequences, an authenticated attacker can cause the server to create upload-related artifacts outside the intended storage location. In certain configurations this enables arbitrary file write and may be leveraged to achieve remote code execution.

8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Mitigation Restrict access to the SmartEMS Web UI to trusted admin networks/VPN. Enforce strong credentials and rotate or revoke active tokens/sessions.
Vendor Fix Update SmartEMS to version 3.3.6 or later.
References
Acknowledgments
CERT@VDE certvde.com
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERT@VDE",
        "summary": "coordination.",
        "urls": [
          "https://certvde.com"
        ]
      }
    ],
    "aggregate_severity": {
      "namespace": "https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale",
      "text": "High"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "A path traversal flaw in the SmartEMS upload handling allows authenticated users to direct upload data outside of the intended directory via the \u0027Upload-Key\u0027 header. In deployments where writable, code-interpreted paths are reachable, this may lead to remote code execution.",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "An authenticated attacker with network access to the SmartEMS Web UI can write outside the intended upload directory, overwrite or place files in sensitive locations, escalate to remote code execution depending on filesystem permissions and execution context, and access or modify sensitive data.",
        "title": "Impact"
      },
      {
        "category": "details",
        "text": "Restrict access to the SmartEMS Web UI to trusted admin networks or VPN. Enforce strong credentials and rotate or revoke active tokens/sessions.",
        "title": "Mitigation"
      },
      {
        "category": "details",
        "text": "Update SmartEMS to version 3.3.6 which fixes the issue.",
        "title": "Remediation"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "psirt@welotec.com",
      "name": "Welotec GmbH",
      "namespace": "https://welotec.com"
    },
    "references": [
      {
        "category": "external",
        "summary": "Welotec PSIRT",
        "url": "https://welotec.com/de/pages/coordinated-vulnerability-disclosure-policy"
      },
      {
        "category": "external",
        "summary": "CERT@VDE Security Advisories for Welotec",
        "url": "https://certvde.com/de/advisories/vendor/welotec"
      },
      {
        "category": "self",
        "summary": "VDE-2025-085: Welotec: Path Traversal in SmartEMS Upload Handling - HTML",
        "url": "https://certvde.com/en/advisories/VDE-2025-085"
      },
      {
        "category": "self",
        "summary": "VDE-2025-085: Welotec: Path Traversal in SmartEMS Upload Handling - CSAF",
        "url": "https://welotec.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-085.json"
      }
    ],
    "title": "Welotec: Path Traversal in SmartEMS Upload Handling",
    "tracking": {
      "aliases": [
        "VDE-2025-085"
      ],
      "current_release_date": "2025-09-22T08:00:00.000Z",
      "generator": {
        "date": "2025-09-22T07:39:32.922Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.32"
        }
      },
      "id": "VDE-2025-085",
      "initial_release_date": "2025-09-10T07:00:00.000Z",
      "revision_history": [
        {
          "date": "2025-09-10T07:00:00.000Z",
          "number": "1.0.0",
          "summary": "Initial revision."
        },
        {
          "date": "2025-09-22T08:00:00.000Z",
          "number": "1.0.1",
          "summary": "Changes impact note categorie from details to description"
        }
      ],
      "status": "final",
      "version": "1.0.1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "\u003cv3.3.6",
                    "product": {
                      "name": "Welotec Software SmartEMS Web Application \u003cv3.3.6",
                      "product_id": "CSAFPID-51001"
                    }
                  },
                  {
                    "category": "product_version",
                    "name": "v3.3.6",
                    "product": {
                      "name": "Welotec Software SmartEMS Web Application v3.3.6",
                      "product_id": "CSAFPID-52001"
                    }
                  }
                ],
                "category": "product_name",
                "name": "SmartEMS Web Application"
              }
            ],
            "category": "product_family",
            "name": "Software"
          }
        ],
        "category": "vendor",
        "name": "Welotec"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-41714",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
      },
      "notes": [
        {
          "category": "description",
          "text": "The upload endpoint insufficiently validates the \u0027Upload-Key\u0027 request header. By supplying path traversal sequences, an authenticated attacker can cause the server to create upload-related artifacts outside the intended storage location. In certain configurations this enables arbitrary file write and may be leveraged to achieve remote code execution.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-52001"
        ],
        "known_affected": [
          "CSAFPID-51001"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "Restrict access to the SmartEMS Web UI to trusted admin networks/VPN. Enforce strong credentials and rotate or revoke active tokens/sessions.",
          "product_ids": [
            "CSAFPID-51001"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update SmartEMS to version 3.3.6 or later.",
          "product_ids": [
            "CSAFPID-51001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 8.8,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "temporalScore": 8.8,
            "temporalSeverity": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-51001"
          ]
        }
      ],
      "title": "Path Traversal via \u0027Upload-Key\u0027 in SmartEMS Upload Handling"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.