References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Change History

The target device exposes a service on a specific TCP port with a configured
 endpoint. The access to that endpoint is granted using a Basic Authentication
 method. The endpoint accepts also the PUT method and it is possible to 
write files on the target device file system. Files are written as root.
 Using Postman it is possible to perform a Directory Traversal attack 
and write files into any location of the device file system. Similarly to the PUT method, it is possible to leverage the 
same mechanism to read any file from the file system by using the GET 
method.

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-280

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-27025

https://www.cvcn.gov.it/cvcn/cve/CVE-2025-27025