CVE-2025-15432 is a path traversal vulnerability identified in the yeqifu carRental software, specifically within the downloadShowFile function of the /file/downloadShowFile.action endpoint in the FileController component. The vulnerability arises from improper validation of the 'path' parameter, allowing an attacker to craft requests that traverse directories and access arbitrary files on the server's filesystem. This can lead to unauthorized disclosure of sensitive information stored on the server. The vulnerability is remotely exploitable without any authentication or user interaction, increasing its risk profile. The product follows a rolling release model, complicating version-specific patching, and as of the latest information, the vendor has not responded or released a fix. The CVSS 4.0 base score is 6.9, reflecting a medium severity due to the ease of exploitation and the confidentiality impact, but no direct impact on integrity or availability. No known exploits are currently reported in the wild, but public disclosure of the exploit code increases the risk of exploitation. The vulnerability affects all versions up to the specified commit hash, making all users of the software potentially vulnerable unless mitigations are applied.

For European organizations, the primary impact of this vulnerability is unauthorized access to sensitive files, which could include configuration files, credentials, or personal data, leading to confidentiality breaches. This is particularly critical for companies in the car rental and fleet management sectors that rely on yeqifu carRental software to manage customer data and operational information. Exposure of such data could result in regulatory penalties under GDPR, reputational damage, and potential operational disruptions if sensitive configuration files are accessed or leaked. Since the vulnerability does not affect integrity or availability directly, the risk of system manipulation or denial of service is lower but cannot be entirely ruled out if attackers leverage obtained information for further attacks. The lack of vendor response and patch availability increases the window of exposure. European organizations with interconnected systems or cloud deployments may face increased risk due to the remote exploitability of this vulnerability.

1. Implement strict input validation and sanitization on the 'path' parameter at the application level to prevent directory traversal sequences such as '../'. 2. Employ a web application firewall (WAF) with rules specifically designed to detect and block path traversal attempts targeting the downloadShowFile endpoint. 3. Restrict file access permissions on the server to limit the files accessible by the application process, ensuring it cannot access sensitive system or configuration files. 4. Monitor server logs for unusual access patterns or attempts to access files outside the intended directories. 5. If possible, isolate the carRental application in a segmented network zone to reduce exposure. 6. Engage with the vendor or community to obtain updates or patches as soon as they become available. 7. Consider deploying runtime application self-protection (RASP) solutions that can detect and block exploitation attempts in real-time. 8. Conduct regular security assessments and penetration testing focusing on file access controls and input validation.