CVE-2025-10232 is a medium-severity path traversal vulnerability identified in the 299ko software, specifically affecting versions up to and including 2.0.0. The vulnerability resides in the getSentDir/delete function within the FileManagerAPIController.php file of the filemanager plugin. An attacker can exploit this flaw by manipulating input parameters to traverse directories outside the intended file system scope, potentially accessing or deleting arbitrary files on the server. The vulnerability is remotely exploitable without requiring user interaction or authentication, increasing its risk profile. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L - low privileges needed), no user interaction (UI:N), and partial impacts on confidentiality, integrity, and availability (VC:N, VI:L, VA:L). The vendor has not responded to disclosure attempts, and no official patches are currently available. Although public exploit code exists, there are no confirmed reports of exploitation in the wild at this time. The vulnerability's root cause is insufficient validation or sanitization of file path inputs, allowing attackers to escape the intended directory context and manipulate files arbitrarily. This can lead to unauthorized data disclosure, data loss, or service disruption depending on the files accessed or deleted.

For European organizations using 299ko version 2.0.0 or earlier, this vulnerability poses a tangible risk to the confidentiality, integrity, and availability of critical data and systems. Path traversal attacks can lead to unauthorized access to sensitive files such as configuration files, credentials, or business data, potentially resulting in data breaches or leakage of personal data protected under GDPR. Additionally, the ability to delete files remotely can disrupt business operations, cause data loss, or facilitate further compromise by removing security controls or logs. Since the vulnerability requires only low privileges and no user interaction, attackers can automate exploitation, increasing the threat level. Organizations relying on 299ko for file management in web applications or intranet portals may face operational disruptions and reputational damage if exploited. The lack of vendor response and patches further exacerbates the risk, requiring organizations to implement compensating controls promptly.

Given the absence of official patches, European organizations should implement the following specific mitigations: 1) Immediately audit and restrict access to the vulnerable 299ko instances, limiting exposure to trusted networks and IP addresses only. 2) Employ web application firewalls (WAFs) with custom rules to detect and block path traversal patterns targeting the FileManagerAPIController.php endpoints, particularly the getSentDir/delete functions. 3) Conduct thorough input validation and sanitization at the application or proxy level to reject suspicious path traversal payloads (e.g., sequences like '../'). 4) Monitor logs for unusual file access or deletion attempts related to the filemanager plugin and set up alerts for anomalous activities. 5) Where feasible, isolate the 299ko application in a sandboxed environment with minimal privileges and restrict file system permissions to prevent unauthorized file access or deletion beyond necessary directories. 6) Plan for migration or upgrade to a secure alternative or future patched version once available. 7) Educate IT and security teams about this vulnerability and ensure incident response plans include steps for potential exploitation scenarios.