CVE-2025-34076: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Microweber Ltd. CMS
An authenticated local file inclusion vulnerability exists in Microweber CMS versions <= 1.2.11 through misuse of the backup management API. Authenticated users can abuse the /api/BackupV2/upload and /api/BackupV2/download endpoints to read arbitrary files from the underlying filesystem. By specifying an absolute file path in the src parameter of the upload request, the server may relocate or delete the target file depending on the web service user’s privileges. The corresponding download endpoint can then be used to retrieve the file contents, effectively enabling local file disclosure. This behavior stems from insufficient validation of user-supplied paths and inadequate restrictions on file access and backup logic.
AI Analysis
Technical Summary
CVE-2025-34076 is a path traversal vulnerability (CWE-22) affecting Microweber Ltd.'s CMS versions up to 1.2.11. The flaw exists in the backup management API, specifically in the /api/BackupV2/upload and /api/BackupV2/download endpoints. Authenticated users with at least low privileges can exploit this vulnerability by supplying an absolute file path in the 'src' parameter of the upload request. Due to insufficient validation and improper restriction of user-supplied paths, the server may relocate or delete arbitrary files on the underlying filesystem depending on the web service user's permissions. Subsequently, the download endpoint can be abused to retrieve the contents of these files, effectively enabling local file disclosure. This vulnerability arises from inadequate input sanitization and weak access control in the backup logic, allowing attackers to read sensitive files or manipulate filesystem objects. Although exploitation requires authentication, no user interaction beyond API requests is needed, and the attack can be performed remotely over the network. The CVSS v4.0 base score is 6.1 (medium severity), reflecting network attack vector, low attack complexity, and partial impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild. The vulnerability poses a risk of sensitive data exposure and potential disruption of CMS operations if critical files are deleted or moved.
Potential Impact
For European organizations using Microweber CMS, this vulnerability could lead to unauthorized disclosure of sensitive internal files such as configuration files, credentials, or proprietary data, undermining confidentiality. The ability to relocate or delete files also threatens data integrity and availability, potentially causing service disruptions or data loss. Organizations in sectors with strict data protection regulations (e.g., GDPR) face compliance risks if personal or sensitive data is exposed. Attackers with authenticated access—potentially through compromised user accounts—could leverage this flaw to escalate privileges or prepare further attacks. Given the CMS's role in managing web content, exploitation could also facilitate website defacement or injection of malicious content, damaging reputation and trust. The medium severity score indicates a significant but not critical risk, emphasizing the need for timely remediation to prevent exploitation in environments where Microweber CMS is deployed.
Mitigation Recommendations
1. Immediate upgrade: Organizations should update Microweber CMS to a version beyond 1.2.11 once a patch addressing CVE-2025-34076 is released. 2. Access control tightening: Restrict access to the backup management API endpoints strictly to trusted administrators and minimize the number of users with backup privileges. 3. Network segmentation: Limit exposure of the CMS backend and API endpoints by placing them behind firewalls or VPNs accessible only to authorized personnel. 4. Input validation: Implement additional web application firewall (WAF) rules to detect and block requests containing suspicious path traversal patterns targeting the 'src' parameter. 5. Monitoring and logging: Enable detailed logging of API calls to /api/BackupV2/upload and /download endpoints and monitor for anomalous file path parameters or unusual file access patterns. 6. Least privilege principle: Ensure the web service user running the CMS has minimal filesystem permissions, preventing unauthorized file deletion or relocation beyond what is necessary. 7. Incident response readiness: Prepare to investigate and remediate any signs of exploitation, including unauthorized file access or modification, and conduct regular security audits of CMS configurations.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden
CVE-2025-34076: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Microweber Ltd. CMS
Description
An authenticated local file inclusion vulnerability exists in Microweber CMS versions <= 1.2.11 through misuse of the backup management API. Authenticated users can abuse the /api/BackupV2/upload and /api/BackupV2/download endpoints to read arbitrary files from the underlying filesystem. By specifying an absolute file path in the src parameter of the upload request, the server may relocate or delete the target file depending on the web service user’s privileges. The corresponding download endpoint can then be used to retrieve the file contents, effectively enabling local file disclosure. This behavior stems from insufficient validation of user-supplied paths and inadequate restrictions on file access and backup logic.
AI-Powered Analysis
Technical Analysis
CVE-2025-34076 is a path traversal vulnerability (CWE-22) affecting Microweber Ltd.'s CMS versions up to 1.2.11. The flaw exists in the backup management API, specifically in the /api/BackupV2/upload and /api/BackupV2/download endpoints. Authenticated users with at least low privileges can exploit this vulnerability by supplying an absolute file path in the 'src' parameter of the upload request. Due to insufficient validation and improper restriction of user-supplied paths, the server may relocate or delete arbitrary files on the underlying filesystem depending on the web service user's permissions. Subsequently, the download endpoint can be abused to retrieve the contents of these files, effectively enabling local file disclosure. This vulnerability arises from inadequate input sanitization and weak access control in the backup logic, allowing attackers to read sensitive files or manipulate filesystem objects. Although exploitation requires authentication, no user interaction beyond API requests is needed, and the attack can be performed remotely over the network. The CVSS v4.0 base score is 6.1 (medium severity), reflecting network attack vector, low attack complexity, and partial impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild. The vulnerability poses a risk of sensitive data exposure and potential disruption of CMS operations if critical files are deleted or moved.
Potential Impact
For European organizations using Microweber CMS, this vulnerability could lead to unauthorized disclosure of sensitive internal files such as configuration files, credentials, or proprietary data, undermining confidentiality. The ability to relocate or delete files also threatens data integrity and availability, potentially causing service disruptions or data loss. Organizations in sectors with strict data protection regulations (e.g., GDPR) face compliance risks if personal or sensitive data is exposed. Attackers with authenticated access—potentially through compromised user accounts—could leverage this flaw to escalate privileges or prepare further attacks. Given the CMS's role in managing web content, exploitation could also facilitate website defacement or injection of malicious content, damaging reputation and trust. The medium severity score indicates a significant but not critical risk, emphasizing the need for timely remediation to prevent exploitation in environments where Microweber CMS is deployed.
Mitigation Recommendations
1. Immediate upgrade: Organizations should update Microweber CMS to a version beyond 1.2.11 once a patch addressing CVE-2025-34076 is released. 2. Access control tightening: Restrict access to the backup management API endpoints strictly to trusted administrators and minimize the number of users with backup privileges. 3. Network segmentation: Limit exposure of the CMS backend and API endpoints by placing them behind firewalls or VPNs accessible only to authorized personnel. 4. Input validation: Implement additional web application firewall (WAF) rules to detect and block requests containing suspicious path traversal patterns targeting the 'src' parameter. 5. Monitoring and logging: Enable detailed logging of API calls to /api/BackupV2/upload and /download endpoints and monitor for anomalous file path parameters or unusual file access patterns. 6. Least privilege principle: Ensure the web service user running the CMS has minimal filesystem permissions, preventing unauthorized file deletion or relocation beyond what is necessary. 7. Incident response readiness: Prepare to investigate and remediate any signs of exploitation, including unauthorized file access or modification, and conduct regular security audits of CMS configurations.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2025-04-15T19:15:22.550Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 68658af26f40f0eb7293bb1f
Added to database: 7/2/2025, 7:39:30 PM
Last enriched: 7/2/2025, 7:55:39 PM
Last updated: 7/13/2025, 7:56:29 AM
Views: 15
Related Threats
CVE-2025-53930: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in LabRedesCefetRJ WeGIA
MediumCVE-2025-53929: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in LabRedesCefetRJ WeGIA
MediumCVE-2025-53931: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in LabRedesCefetRJ WeGIA
MediumCVE-2025-7357: CWE-256 Plaintext Storage of a Password in LITEON IC48A EV Charger
HighCVE-2025-53934: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in LabRedesCefetRJ WeGIA
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.