CVE-2025-10245 is a path traversal vulnerability identified in the Display Painéis TGA product, specifically affecting versions up to 7.1.41. The vulnerability resides in the /gallery/rename endpoint of the Galeria Page component. It arises from improper validation or sanitization of the 'current_folder' argument, which allows an attacker to manipulate the file path and traverse directories outside the intended scope. This can enable unauthorized access to files and directories on the server's filesystem that should otherwise be inaccessible. The vulnerability has a CVSS 4.8 (medium) score with the vector indicating that the attack requires adjacent network access (AV:A), low attack complexity (AC:L), no user interaction (UI:N), and high privileges (PR:H). The impact on confidentiality, integrity, and availability is low, suggesting limited damage potential if exploited. The vendor was notified but has not responded, and no patches or mitigations have been published yet. Although the exploit code has been publicly released, there are no known active exploits in the wild at this time. The vulnerability could be leveraged by an attacker with high privileges on the network segment to gain unauthorized file access, potentially leading to information disclosure or limited system manipulation. However, the requirement for high privileges and adjacent network access reduces the overall risk to external attackers.

For European organizations using Display Painéis TGA, this vulnerability poses a moderate risk primarily to internal network security. Since exploitation requires high privileges and access to the adjacent network, the threat is more relevant to insiders or attackers who have already compromised part of the internal network. Successful exploitation could lead to unauthorized access to sensitive files, potentially exposing confidential information or configuration files. This could facilitate further attacks or data leakage. Organizations in sectors with stringent data protection requirements, such as finance, healthcare, and government, could face compliance risks if sensitive data is exposed. Additionally, the lack of vendor response and absence of patches increases the window of exposure. Given the medium severity and limited exploitability, the overall impact is contained but still significant enough to warrant prompt attention, especially in environments with sensitive data or critical infrastructure.

European organizations should implement the following specific mitigations: 1) Restrict access to the /gallery/rename endpoint to only trusted and authenticated users with a need-to-use basis, ideally limiting it to administrative roles. 2) Employ network segmentation to isolate systems running Display Painéis TGA from less trusted network zones, reducing the risk of adjacent network exploitation. 3) Monitor and log all access to the Galeria Page component and specifically the /gallery/rename endpoint to detect suspicious path traversal attempts. 4) Use web application firewalls (WAFs) with custom rules to detect and block path traversal patterns in the 'current_folder' parameter. 5) Conduct internal audits and vulnerability scanning to identify affected versions and prioritize upgrades or compensating controls. 6) If possible, implement file system permissions to limit the web application's access to only necessary directories, minimizing the impact of path traversal. 7) Engage with the vendor for updates or patches and consider alternative products if no remediation is forthcoming. 8) Educate internal IT and security teams about this vulnerability to ensure rapid response if exploitation attempts are detected.