CVE-2025-10766 is a path traversal vulnerability identified in SeriaWei's ZKEACMS content management system, specifically affecting versions 4.0 through 4.3. The vulnerability resides in the Download function within the EventViewerController.cs file. By manipulating the 'ID' argument passed to this function, an attacker can perform a path traversal attack, enabling them to access files outside the intended directory scope. This can lead to unauthorized disclosure of sensitive files on the server. The vulnerability is remotely exploitable without requiring user interaction or authentication, making it a significant risk. The CVSS 4.0 base score is 5.3 (medium severity), reflecting that the attack vector is network-based with low attack complexity and no privileges or user interaction required. The vendor was notified but did not respond or provide a patch, and a public exploit is available, increasing the risk of exploitation. Although no known exploits in the wild have been reported yet, the availability of a public exploit raises the likelihood of future attacks. The vulnerability does not affect confidentiality, integrity, or availability to a critical extent but can lead to sensitive information disclosure, which may facilitate further attacks or data breaches.

For European organizations using SeriaWei ZKEACMS versions 4.0 to 4.3, this vulnerability poses a risk of unauthorized access to sensitive files on their web servers. This could include configuration files, credentials, or other critical data that could be leveraged for further compromise. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, may face compliance risks if sensitive data is exposed. The remote exploitability without authentication means attackers can target vulnerable systems directly over the internet, increasing exposure. While the immediate impact is information disclosure, the resulting data could enable privilege escalation or lateral movement within networks. This could lead to reputational damage, regulatory penalties under GDPR, and operational disruptions if attackers use disclosed information to launch subsequent attacks.

Given the lack of vendor response and absence of official patches, European organizations should implement immediate compensating controls. These include: 1) Restricting access to the vulnerable Download function by applying web application firewall (WAF) rules that detect and block path traversal patterns in the 'ID' parameter. 2) Implement strict input validation and sanitization at the application or proxy level to prevent traversal sequences such as '../'. 3) Limit file system permissions of the web server process to the minimum necessary, preventing access to sensitive directories outside the CMS scope. 4) Monitor web server logs for suspicious requests targeting the Download function or containing traversal payloads. 5) Consider isolating or segmenting the CMS server from critical internal networks to reduce potential lateral movement. 6) If feasible, upgrade to a newer, unaffected version of ZKEACMS once available or migrate to alternative CMS platforms with active support. 7) Conduct regular security assessments and penetration tests focusing on path traversal and related vulnerabilities.