CVE-2025-12055 is a path traversal vulnerability (CWE-22) found in MPDV Mikrolab GmbH's industrial software products MIP 2, HYDRA X, and FEDRA 2. The vulnerability exists in the handling of the "Filename" parameter within the public $SCHEMAS$ resource, which fails to properly restrict pathname inputs to a safe directory. This improper limitation allows an unauthenticated attacker to craft requests that traverse directories and read arbitrary files on the underlying Windows operating system. The flaw affects all releases prior to Maintenance Pack 36 with Servicepack 8, scheduled for release in week 36 of 2025. The vulnerability has a CVSS v3.1 base score of 7.5, reflecting its network attack vector, low attack complexity, no privileges required, and no user interaction needed. The impact is high on confidentiality as attackers can access sensitive files, but it does not affect integrity or availability. Although no public exploits have been reported yet, the vulnerability is straightforward to exploit remotely, making it a significant risk. The affected products are widely used in manufacturing execution systems (MES) and industrial production environments, where exposure of configuration files, credentials, or system data could lead to operational disruptions or intellectual property theft.

For European organizations, particularly those in manufacturing and industrial sectors using MPDV Mikrolab GmbH's software, this vulnerability can lead to unauthorized disclosure of sensitive system files, including configuration files, credentials, or proprietary data. Such exposure could facilitate further attacks, including lateral movement, espionage, or sabotage of industrial processes. Confidentiality breaches may result in intellectual property theft or compliance violations under GDPR if personal or sensitive data is exposed. Although the vulnerability does not directly impact system integrity or availability, the information gained could be leveraged to mount more damaging attacks. The risk is heightened in environments where these products are integrated into critical production systems, potentially affecting operational continuity and competitive advantage.

Organizations should prioritize applying the Maintenance Pack 36 with Servicepack 8 update from MPDV Mikrolab GmbH as soon as it becomes available to remediate the vulnerability. Until the patch is deployed, restrict network access to the affected services by implementing firewall rules or network segmentation to limit exposure to trusted users and systems only. Monitor network traffic for unusual access patterns targeting the $SCHEMAS$ resource or attempts to exploit path traversal. Conduct regular audits of system and application logs to detect unauthorized file access attempts. Employ application-layer security controls such as web application firewalls (WAFs) that can detect and block path traversal payloads. Additionally, review and harden file system permissions to minimize the impact of potential file disclosures. Engage with MPDV support for guidance and verify the integrity of software updates before deployment.