CVE-2025-10232 is a path traversal vulnerability identified in the 299ko web application up to version 2.0.0. The vulnerability resides in the getSentDir/delete function within the FileManagerAPIController.php file of the filemanager plugin. Path traversal vulnerabilities allow an attacker to manipulate file or directory paths to access files and directories outside the intended scope, potentially exposing sensitive data or enabling unauthorized file operations. In this case, the vulnerability can be exploited remotely without user interaction or authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The attack complexity is low, and the vulnerability impacts confidentiality, integrity, and availability to a limited extent (VC:N/VI:L/VA:L). The vendor was notified but did not respond, and no patch has been released yet. Although no known exploits are currently observed in the wild, the exploit code has been publicly disclosed, increasing the risk of exploitation. The CVSS 4.0 base score is 5.3, categorizing it as a medium severity vulnerability. The vulnerability allows attackers to traverse directories and potentially delete or access files beyond the intended directory, which could lead to data leakage, unauthorized modification, or denial of service if critical files are deleted or altered. Given the nature of the vulnerability, it primarily affects web servers running the vulnerable 299ko version, especially those exposing the filemanager plugin API to the internet or untrusted networks.

For European organizations, this vulnerability poses a moderate risk, particularly for entities that use the 299ko CMS or web application platform with the vulnerable filemanager plugin. Exploitation could lead to unauthorized access to sensitive files, including configuration files, user data, or intellectual property, potentially resulting in data breaches or compliance violations under GDPR. The ability to delete files remotely could disrupt business operations or cause denial of service, impacting availability. Organizations in sectors with high regulatory scrutiny such as finance, healthcare, and government could face reputational damage and legal consequences if exploited. Since the vulnerability requires no user interaction and can be exploited remotely, attackers could automate attacks to scan for vulnerable instances across Europe. The lack of vendor response and absence of patches increases the window of exposure, making timely mitigation critical. However, the medium severity score reflects that the vulnerability does not allow full system compromise or remote code execution, somewhat limiting the overall impact.

European organizations should immediately audit their environments to identify any deployments of 299ko version 2.0.0 or earlier with the filemanager plugin enabled. Since no official patch is available, organizations should consider the following specific mitigations: 1) Restrict access to the FileManagerAPIController endpoints by implementing network-level controls such as IP whitelisting or VPN access to limit exposure to trusted users only. 2) Employ web application firewalls (WAFs) with custom rules to detect and block path traversal patterns in HTTP requests targeting the vulnerable API. 3) Review and harden file system permissions to ensure the web server process has minimal privileges, preventing unauthorized file deletions or access beyond necessary directories. 4) Monitor logs for suspicious requests attempting directory traversal or unusual file operations. 5) If feasible, temporarily disable or remove the vulnerable filemanager plugin until a patch or vendor response is available. 6) Engage with the vendor or community to track any forthcoming patches or updates. 7) Conduct penetration testing focused on path traversal to validate the effectiveness of mitigations.