CVE-2024-37825 is a directory traversal vulnerability identified in EnvisionWare Computer Access & Reservation Control SelfCheck version 1.0. This vulnerability allows an unauthenticated attacker who is on the same local network as the vulnerable device to perform directory traversal attacks. Directory traversal (CWE-22) enables attackers to access files and directories outside the intended directory structure by manipulating file path inputs. In this case, the flaw could allow attackers to read sensitive files or configuration data that should be inaccessible, potentially exposing confidential information or enabling further attacks. The vulnerability does not require authentication or user interaction, increasing its risk in shared network environments such as libraries or public access networks. The issue has been addressed in the OneStop 3.2.0.27184 Hotfix released in May 2024. The CVSS v3.1 base score is 5.4, with an attack vector of adjacent network (AV:A), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impacts on confidentiality and integrity but not availability. No public exploits or active exploitation have been reported to date, but the vulnerability's presence in public access systems makes it a concern for organizations relying on EnvisionWare SelfCheck solutions.

The primary impact of CVE-2024-37825 is unauthorized disclosure of sensitive information due to directory traversal, which compromises confidentiality and potentially integrity if configuration files or scripts are accessed and modified. Since the vulnerability requires network proximity, it mainly threatens environments where attackers can connect to the same local network, such as public libraries, educational institutions, or other public access points using EnvisionWare SelfCheck systems. Exploitation could lead to leakage of user data, system configuration details, or credentials stored in accessible files, increasing the risk of further attacks or data breaches. Although availability is not directly affected, the breach of confidentiality and integrity can undermine trust and operational security. Organizations with multiple deployed units may face a broader attack surface, especially if network segmentation is weak. The lack of authentication requirements makes this vulnerability easier to exploit for insiders or nearby attackers.

Organizations should immediately apply the OneStop 3.2.0.27184 Hotfix released in May 2024 to remediate this vulnerability. Until patched, network segmentation should be enforced to isolate EnvisionWare SelfCheck devices from untrusted or public networks, limiting access to trusted personnel only. Implement strict access control lists (ACLs) on network devices to restrict traffic to and from the vulnerable systems. Monitor network traffic for unusual file access patterns or attempts to exploit directory traversal. Conduct regular audits of system logs and file integrity to detect unauthorized access. Disable or restrict unnecessary services on the SelfCheck devices to reduce the attack surface. Educate staff and users about the risks of connecting unauthorized devices to the same network. Finally, maintain an inventory of all EnvisionWare products deployed to ensure timely patch management and vulnerability tracking.