CVE-2025-12055 identifies a path traversal vulnerability (CWE-22) in MPDV Mikrolab GmbH's industrial software products MIP 2, HYDRA X, and FEDRA 2. The vulnerability exists in all releases prior to Maintenance Pack 36 with Servicepack 8 (scheduled for week 36 of 2025). It allows unauthenticated local attackers to manipulate the 'Filename' parameter of the public $SCHEMAS$ resource to access arbitrary files on the underlying Windows operating system. This improper limitation of pathname enables attackers to bypass intended directory restrictions, potentially exposing sensitive configuration files, credentials, or other critical data stored on the host. The vulnerability does not require authentication or user interaction, increasing the risk of exploitation by insiders or attackers with local access. While no public exploits have been reported yet, the flaw's nature suggests it could be weaponized to facilitate further attacks or data leakage. The affected products are commonly used in manufacturing execution systems (MES) and industrial process management, making confidentiality and integrity of data paramount. The vulnerability's resolution depends on applying the vendor's maintenance pack update once available. Until then, organizations must rely on access restrictions and monitoring to mitigate risk.

For European organizations, especially those in manufacturing and industrial sectors relying on MPDV Mikrolab GmbH's software, this vulnerability poses a significant risk of unauthorized disclosure of sensitive operational data. Exposure of configuration files or credentials could lead to further compromise of industrial control systems or intellectual property theft. The unauthenticated nature of the flaw means that any local user or attacker with access to the system could exploit it, increasing insider threat risks. This could disrupt production processes or lead to regulatory compliance issues under GDPR if personal or sensitive data is exposed. The impact on confidentiality is high, while integrity and availability impacts are indirect but possible if attackers leverage disclosed information for subsequent attacks. The lack of known exploits currently limits immediate widespread impact, but the vulnerability remains a critical concern for organizations with MPDV deployments.

Organizations should prioritize the deployment of Maintenance Pack 36 with Servicepack 8 from MPDV Mikrolab GmbH as soon as it becomes available to remediate this vulnerability. Until the patch is applied, strict local access controls must be enforced to limit system access to authorized personnel only, reducing the risk of exploitation. Implementing application whitelisting and monitoring file access patterns can help detect suspicious activity related to path traversal attempts. Network segmentation should isolate affected systems to minimize lateral movement in case of compromise. Regular audits of user privileges and system logs will aid in early detection of exploitation attempts. Additionally, organizations should consider disabling or restricting access to the vulnerable $SCHEMAS$ resource if feasible. Security awareness training for staff about insider threats and local system security best practices will further reduce risk.