CVE-2021-40661 is a remote, unauthenticated directory traversal vulnerability affecting the web interface of IND780 Advanced Weighing Terminals, specifically versions labeled IND780_8.0.07 (Build March 19, 2018) and IND780_7.2.10 (Build June 18, 2012). The vulnerability arises from improper validation of the 'webpage' parameter in the AutoCE.ini configuration file, which allows an attacker to supply directory traversal sequences (e.g., '../') to access files outside the intended web directory. This flaw enables an unauthenticated remote adversary to enumerate and read arbitrary files on the affected device's filesystem. Such unauthorized file access can reveal sensitive information including configuration files, system version details, or other data that could facilitate further targeted attacks. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and has a CVSS v3.1 base score of 7.5 (high severity), reflecting its ease of exploitation (network attack vector, no privileges or user interaction required) and significant confidentiality impact. Although no known exploits have been reported in the wild, the vulnerability poses a substantial risk due to the critical nature of the affected devices, which are industrial weighing terminals often used in logistics, manufacturing, and supply chain environments. The lack of authentication requirement and the ability to remotely access sensitive files make this a serious security concern that could lead to information disclosure and enable subsequent attacks against the affected systems or networks.

For European organizations utilizing IND780 Advanced Weighing Terminals, this vulnerability could lead to unauthorized disclosure of sensitive operational data and system information. Such data leakage may compromise confidentiality of business processes, inventory data, or proprietary configurations. Attackers could leverage the information obtained to identify system versions and weaknesses, facilitating further exploitation such as targeted malware deployment or disruption of weighing operations. Given the critical role these terminals play in supply chain and manufacturing workflows, exploitation could indirectly affect operational integrity and business continuity. Additionally, unauthorized access to device files might expose credentials or network configuration details, increasing the risk of lateral movement within corporate networks. The impact is particularly relevant for industries with stringent regulatory requirements around data protection and operational security, such as pharmaceuticals, food production, and logistics sectors prevalent in Europe.

To mitigate this vulnerability, organizations should first verify if their IND780 Advanced Weighing Terminals are running the affected firmware versions (IND780_8.0.07 or IND780_7.2.10). Since no official patches or updates are referenced, immediate mitigation steps include restricting network access to the web interface of these devices by implementing network segmentation and firewall rules to limit exposure only to trusted management networks. Employing VPNs or secure tunnels for remote access can further reduce risk. Monitoring and logging access to the devices' web interfaces should be enhanced to detect suspicious traversal attempts. If possible, disable or restrict the use of the 'webpage' parameter or any web interface features that accept user input for file paths. Vendors should be contacted to inquire about firmware updates or patches addressing this vulnerability. Additionally, organizations should conduct regular security assessments of industrial control systems and apply compensating controls such as intrusion detection systems tailored for industrial environments to detect exploitation attempts.