The vulnerability identified as CVE-2025-25652 affects Eptura Archibus version 2024.03.01.109, specifically targeting the "Run script" and "Server File" components within the Database Update Wizard. The issue is a directory traversal vulnerability, which occurs when an application improperly sanitizes user-supplied input used to construct file paths. This allows an attacker to traverse outside the intended directory boundaries by using sequences like "../" to access arbitrary files on the server's filesystem. Such unauthorized access can lead to disclosure of sensitive configuration files, credentials, or other critical data stored on the server. While no public exploits have been reported, the vulnerability's presence in a core administrative component increases risk, as attackers might leverage it to gather intelligence or prepare for further attacks, including remote code execution if combined with other flaws. The lack of a CVSS score indicates that the vulnerability has not yet been fully assessed, but the technical nature suggests significant risk. The vulnerability was reserved in early 2025 and published in early 2026, indicating recent discovery and disclosure. No patches or mitigations have been officially released at the time of this report, emphasizing the need for immediate defensive measures.

For European organizations, the impact of CVE-2025-25652 can be substantial, especially for those relying on Eptura Archibus for facility and real estate management. Unauthorized directory traversal can lead to exposure of sensitive internal documents, user credentials, or system configuration files, compromising confidentiality. This exposure can facilitate lateral movement within networks or enable attackers to escalate privileges. The integrity of data may also be at risk if attackers modify files or scripts accessed via the vulnerability. Availability impact is less direct but could occur if attackers disrupt system operations through malicious file manipulation. Given the administrative nature of the affected components, exploitation could undermine trust in critical infrastructure management systems. Organizations handling sensitive or regulated data (e.g., personal data under GDPR) face compliance risks and potential financial penalties if breaches occur. The absence of known exploits provides a window for proactive defense, but the ease of exploitation without authentication increases urgency.

1. Immediately restrict access to the Database Update Wizard components, especially the "Run script" and "Server File" features, limiting usage to trusted administrators only. 2. Implement strict input validation and sanitization on all user-supplied file path inputs to prevent directory traversal sequences. 3. Enforce least privilege file system permissions on the server to ensure the application process cannot access sensitive directories beyond its scope. 4. Monitor logs for unusual file access patterns or attempts to use traversal sequences. 5. Engage with Eptura Archibus vendor support to obtain patches or updates addressing this vulnerability as soon as they become available. 6. Consider deploying web application firewalls (WAFs) with custom rules to detect and block directory traversal attempts targeting these components. 7. Conduct security audits and penetration testing focused on file path handling in the affected application modules. 8. Educate administrators on the risks and signs of exploitation to improve detection and response.