CVE-2025-15066 is a path traversal vulnerability classified under CWE-22 and CWE-862 affecting Innorix WP, a product by Innorix. The vulnerability arises from improper limitation of pathnames to restricted directories, allowing an attacker to traverse directories beyond the intended scope. Specifically, if an 'exam' directory exists under the installation directory (e.g., innorix/exam), the product fails to properly restrict pathname inputs, enabling unauthorized access to files outside the intended directory. The vulnerability does not require authentication or user interaction but does require local access (AV:L), meaning an attacker must have some level of access to the system to exploit it. The CVSS 4.0 base score is 6.9 (medium severity), reflecting a moderate impact primarily on confidentiality due to unauthorized file access. The vulnerability does not affect integrity or availability directly and does not involve network attack vectors. No patches or known exploits are currently available, indicating the need for proactive mitigation. The issue was published on December 29, 2025, and remains a concern for all versions of Innorix WP where the 'exam' directory exists. The vulnerability is significant because it can lead to unauthorized disclosure of sensitive information, potentially exposing confidential data or configuration files critical to system security.

For European organizations, this vulnerability poses a risk of unauthorized disclosure of sensitive information stored within or accessible via the Innorix WP installation directories. Organizations in sectors such as education, healthcare, or government that may use Innorix WP with the 'exam' directory are particularly vulnerable. The impact is primarily on confidentiality, as attackers can read files outside the intended directory scope. This could lead to exposure of personal data, intellectual property, or system configuration files, potentially facilitating further attacks. Since exploitation requires local access, the threat is higher in environments where multiple users have system access or where attackers can gain initial footholds through other means. The lack of authentication requirement means that once local access is obtained, attackers can exploit the vulnerability without further barriers. The absence of known exploits in the wild reduces immediate risk but does not eliminate the potential for future exploitation. European organizations must consider this vulnerability in their risk assessments, especially those with Innorix WP deployments in critical infrastructure or regulated industries subject to strict data protection regulations like GDPR.

1. Immediately verify if the 'exam' directory exists under the Innorix WP installation path; if it is not required, remove or rename it to prevent exploitation. 2. Implement strict input validation and sanitization on all pathname inputs within Innorix WP to ensure traversal sequences (e.g., '../') are blocked or properly handled. 3. Restrict local access to systems running Innorix WP to trusted users only, employing strong access controls and monitoring. 4. Monitor file system access logs for unusual or unauthorized attempts to access directories outside the intended scope, especially targeting the 'exam' directory or parent directories. 5. If possible, isolate Innorix WP installations in segmented network zones to limit lateral movement in case of compromise. 6. Engage with Innorix vendor support to obtain patches or official guidance once available. 7. Conduct regular security audits and penetration testing focusing on path traversal and authorization bypass vulnerabilities. 8. Educate system administrators and users about the risks of local privilege escalation and path traversal attacks to enhance detection and response capabilities.