CVE-2025-10273 is a path traversal vulnerability identified in erjinzhi 10OA version 1.0, specifically affecting the /view/file.aspx endpoint. The vulnerability arises from improper validation or sanitization of the 'File' argument, allowing an attacker to manipulate the file path input to access files outside the intended directory structure. This type of vulnerability enables unauthorized reading of arbitrary files on the server, potentially exposing sensitive information such as configuration files, credentials, or other critical data. The vulnerability requires low attack complexity and only limited privileges (PR:L) to exploit, with no user interaction needed. The attack vector is adjacent network (AV:A), meaning the attacker must have some network access close to the target environment, such as within the same local network or VPN. The CVSS 4.0 base score is 5.1 (medium severity), reflecting limited confidentiality impact (VC:L) and no impact on integrity or availability. The vendor has not responded to disclosure attempts, and no patches are currently available. Public exploits exist, increasing the risk of exploitation despite no known active exploitation in the wild at this time. Given the nature of the vulnerability, attackers could leverage it to gain sensitive information that may facilitate further attacks or lateral movement within a compromised network. The lack of vendor response and patch availability increases the urgency for organizations using erjinzhi 10OA 1.0 to implement mitigations and monitor for exploitation attempts.

For European organizations using erjinzhi 10OA 1.0, this vulnerability poses a moderate risk primarily related to confidentiality breaches. Unauthorized file access could lead to exposure of sensitive corporate data, intellectual property, or personal data protected under GDPR, potentially resulting in regulatory penalties and reputational damage. The limited scope of impact (no integrity or availability effects) reduces the risk of direct operational disruption but does not eliminate the threat of information leakage that could be leveraged for subsequent attacks such as privilege escalation or lateral movement. The requirement for adjacent network access somewhat limits remote exploitation but does not preclude insider threats or attackers who have gained partial network access. Given the vendor's lack of response and absence of patches, European organizations must be vigilant, especially those in sectors with high data sensitivity such as finance, healthcare, and government. Failure to address this vulnerability could lead to compliance issues and increased risk of targeted attacks exploiting exposed data.

Since no official patch is available, European organizations should implement compensating controls to mitigate the risk. These include: 1) Network segmentation and strict access controls to limit access to the erjinzhi 10OA application, ensuring only trusted users and systems can reach the vulnerable endpoint. 2) Web application firewalls (WAFs) configured with custom rules to detect and block path traversal patterns targeting the /view/file.aspx endpoint, especially suspicious 'File' parameter manipulations. 3) Continuous monitoring and logging of access to the vulnerable endpoint to detect anomalous requests indicative of exploitation attempts. 4) Restrict file system permissions for the application process to the minimum necessary, preventing access to sensitive files outside the intended directories. 5) Conduct internal audits and penetration tests to identify potential exploitation paths. 6) If feasible, consider disabling or isolating the vulnerable functionality until a patch or vendor fix is available. 7) Engage with the vendor or community for updates and share threat intelligence to stay informed about emerging exploits or mitigations.