CVE-2025-34022: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Selea Targa IP OCR-ANPR Camera
A path traversal vulnerability exists in multiple models of Selea Targa IP OCR-ANPR cameras, including iZero, Targa 512, Targa 504, Targa Semplice, Targa 704 TKM, Targa 805, Targa 710 INOX, Targa 750, and Targa 704 ILB. The /common/get_file.php script in the “Download Archive in Storage” page fails to properly validate user-supplied input to the file parameter. Unauthenticated remote attackers can exploit this vulnerability to read arbitrary files on the device, including sensitive system files containing cleartext credentials, potentially leading to authentication bypass and exposure of system information.
AI Analysis
Technical Summary
CVE-2025-34022 is a critical path traversal vulnerability (CWE-22) affecting multiple models of Selea's Targa IP OCR-ANPR cameras, including iZero, Targa 512, 504, Semplice, 704 TKM, 805, 710 INOX, 750, and 704 ILB. The vulnerability resides in the /common/get_file.php script used on the "Download Archive in Storage" page. This script fails to properly sanitize and validate the user-supplied 'file' parameter, allowing unauthenticated remote attackers to perform directory traversal attacks. By exploiting this flaw, attackers can access arbitrary files on the device's filesystem, including sensitive system files that may contain cleartext credentials and other critical system information. This can lead to authentication bypass, unauthorized access, and potential full compromise of the device. The vulnerability affects multiple firmware versions ranging from builds dated as early as 2019 to 2020 and CPS versions 3.x and 4.x. The CVSS 4.0 base score is 9.3 (critical), reflecting the high impact and ease of exploitation without requiring authentication or user interaction. The vulnerability compromises confidentiality and integrity severely, with potential cascading effects on availability if attackers leverage the information to disrupt device operation or pivot into the network. No patches or exploits in the wild are currently reported, but the criticality and nature of the vulnerability make it a high-priority risk for organizations using these devices.
Potential Impact
For European organizations, the impact of this vulnerability is significant, especially for those deploying Selea Targa IP OCR-ANPR cameras in critical infrastructure, law enforcement, transportation, and smart city environments. These cameras are often used for automated license plate recognition and vehicle monitoring, making them integral to security and operational workflows. Exploitation could lead to unauthorized disclosure of sensitive data, including credentials that protect the device and potentially connected systems. This could enable attackers to bypass authentication controls, manipulate camera data, disrupt surveillance operations, or gain a foothold within the network. The compromise of such devices could undermine public safety, law enforcement investigations, and traffic management systems. Additionally, the exposure of system files might facilitate further attacks, such as firmware tampering or lateral movement within organizational networks. Given the criticality and unauthenticated nature of the exploit, the threat poses a high risk to confidentiality, integrity, and availability of affected systems and associated services.
Mitigation Recommendations
1. Immediate mitigation should focus on network-level controls: restrict access to the camera management interfaces to trusted internal networks only, using firewalls or VLAN segmentation to prevent exposure to untrusted networks or the internet. 2. Implement strict access control lists (ACLs) on network devices to limit which hosts can communicate with the cameras, ideally allowing only authorized management stations. 3. Monitor network traffic for unusual requests targeting the /common/get_file.php endpoint or attempts to use directory traversal patterns (e.g., '../') in HTTP parameters. 4. Where possible, disable or restrict the 'Download Archive in Storage' functionality if not essential for operations. 5. Engage with Selea for firmware updates or patches addressing this vulnerability; if unavailable, consider temporary device replacement or compensating controls. 6. Conduct regular audits of device configurations and logs to detect any signs of exploitation or unauthorized access. 7. Employ network intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics to detect path traversal attempts targeting these devices. 8. Educate operational technology (OT) and security teams about this vulnerability to ensure rapid response and remediation planning. 9. Consider isolating the cameras on dedicated networks with no direct internet access to minimize exposure.
Affected Countries
Germany, France, Italy, Spain, United Kingdom, Netherlands, Belgium, Sweden, Poland, Austria
CVE-2025-34022: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Selea Targa IP OCR-ANPR Camera
Description
A path traversal vulnerability exists in multiple models of Selea Targa IP OCR-ANPR cameras, including iZero, Targa 512, Targa 504, Targa Semplice, Targa 704 TKM, Targa 805, Targa 710 INOX, Targa 750, and Targa 704 ILB. The /common/get_file.php script in the “Download Archive in Storage” page fails to properly validate user-supplied input to the file parameter. Unauthenticated remote attackers can exploit this vulnerability to read arbitrary files on the device, including sensitive system files containing cleartext credentials, potentially leading to authentication bypass and exposure of system information.
AI-Powered Analysis
Technical Analysis
CVE-2025-34022 is a critical path traversal vulnerability (CWE-22) affecting multiple models of Selea's Targa IP OCR-ANPR cameras, including iZero, Targa 512, 504, Semplice, 704 TKM, 805, 710 INOX, 750, and 704 ILB. The vulnerability resides in the /common/get_file.php script used on the "Download Archive in Storage" page. This script fails to properly sanitize and validate the user-supplied 'file' parameter, allowing unauthenticated remote attackers to perform directory traversal attacks. By exploiting this flaw, attackers can access arbitrary files on the device's filesystem, including sensitive system files that may contain cleartext credentials and other critical system information. This can lead to authentication bypass, unauthorized access, and potential full compromise of the device. The vulnerability affects multiple firmware versions ranging from builds dated as early as 2019 to 2020 and CPS versions 3.x and 4.x. The CVSS 4.0 base score is 9.3 (critical), reflecting the high impact and ease of exploitation without requiring authentication or user interaction. The vulnerability compromises confidentiality and integrity severely, with potential cascading effects on availability if attackers leverage the information to disrupt device operation or pivot into the network. No patches or exploits in the wild are currently reported, but the criticality and nature of the vulnerability make it a high-priority risk for organizations using these devices.
Potential Impact
For European organizations, the impact of this vulnerability is significant, especially for those deploying Selea Targa IP OCR-ANPR cameras in critical infrastructure, law enforcement, transportation, and smart city environments. These cameras are often used for automated license plate recognition and vehicle monitoring, making them integral to security and operational workflows. Exploitation could lead to unauthorized disclosure of sensitive data, including credentials that protect the device and potentially connected systems. This could enable attackers to bypass authentication controls, manipulate camera data, disrupt surveillance operations, or gain a foothold within the network. The compromise of such devices could undermine public safety, law enforcement investigations, and traffic management systems. Additionally, the exposure of system files might facilitate further attacks, such as firmware tampering or lateral movement within organizational networks. Given the criticality and unauthenticated nature of the exploit, the threat poses a high risk to confidentiality, integrity, and availability of affected systems and associated services.
Mitigation Recommendations
1. Immediate mitigation should focus on network-level controls: restrict access to the camera management interfaces to trusted internal networks only, using firewalls or VLAN segmentation to prevent exposure to untrusted networks or the internet. 2. Implement strict access control lists (ACLs) on network devices to limit which hosts can communicate with the cameras, ideally allowing only authorized management stations. 3. Monitor network traffic for unusual requests targeting the /common/get_file.php endpoint or attempts to use directory traversal patterns (e.g., '../') in HTTP parameters. 4. Where possible, disable or restrict the 'Download Archive in Storage' functionality if not essential for operations. 5. Engage with Selea for firmware updates or patches addressing this vulnerability; if unavailable, consider temporary device replacement or compensating controls. 6. Conduct regular audits of device configurations and logs to detect any signs of exploitation or unauthorized access. 7. Employ network intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics to detect path traversal attempts targeting these devices. 8. Educate operational technology (OT) and security teams about this vulnerability to ensure rapid response and remediation planning. 9. Consider isolating the cameras on dedicated networks with no direct internet access to minimize exposure.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2025-04-15T19:15:22.545Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 68568e82aded773421b5a855
Added to database: 6/21/2025, 10:50:42 AM
Last enriched: 6/21/2025, 11:07:22 AM
Last updated: 8/17/2025, 12:26:16 AM
Views: 21
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.