CVE-2025-10468 is a high-severity path traversal vulnerability (CWE-22) affecting Beyaz Computer's CityPlus product versions prior to 24.29375. Path traversal vulnerabilities occur when an application improperly restricts user-supplied input that specifies file or directory paths, allowing attackers to access files and directories outside the intended restricted directory. In this case, CityPlus fails to adequately limit pathname inputs, enabling an attacker to craft malicious requests that traverse directories and access sensitive files on the underlying system. The vulnerability is remotely exploitable over the network without requiring authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The impact is primarily on confidentiality, allowing unauthorized disclosure of sensitive information stored on the server. There is no indication that integrity or availability are affected. Although no known exploits are currently observed in the wild, the ease of exploitation and high confidentiality impact make this a significant risk. Beyaz Computer has not yet published patches or mitigations, and the affected versions include all prior to 24.29375, suggesting that the vulnerability is present in widely deployed versions of CityPlus. Given CityPlus is a product by Beyaz Computer, it is likely used in business or enterprise environments, potentially managing sensitive data or configurations, which increases the risk profile of this vulnerability.

For European organizations using CityPlus, this vulnerability poses a serious threat to the confidentiality of sensitive data. Attackers exploiting this flaw can access configuration files, credentials, or other sensitive documents stored on the server, potentially leading to further compromise or data breaches. This could result in regulatory non-compliance, especially under GDPR, due to unauthorized data exposure. The lack of required authentication means that any exposed CityPlus instance accessible over the internet or internal networks is at risk. Industries such as finance, healthcare, and critical infrastructure in Europe that rely on CityPlus for operational management could face significant operational and reputational damage if exploited. Additionally, the vulnerability could be leveraged as a foothold for lateral movement within networks, increasing the overall risk posture of affected organizations.

European organizations should immediately inventory their deployments of Beyaz Computer CityPlus to identify affected versions. Until an official patch is released, organizations should implement strict network-level access controls to restrict access to CityPlus interfaces, limiting exposure to trusted internal IPs only. Employ web application firewalls (WAFs) with custom rules to detect and block path traversal attack patterns targeting CityPlus. Conduct thorough logging and monitoring of file access requests to detect anomalous behavior indicative of exploitation attempts. If possible, deploy application-layer input validation proxies to sanitize and restrict pathname inputs. Organizations should engage with Beyaz Computer for timely updates and patches and plan for rapid deployment once available. Additionally, conduct security awareness training for IT staff to recognize signs of exploitation and ensure incident response plans include scenarios involving path traversal attacks.