CVE-2025-34076 is a path traversal vulnerability (CWE-22) affecting Microweber Ltd.'s CMS versions up to 1.2.11. The flaw exists in the backup management API, specifically in the /api/BackupV2/upload and /api/BackupV2/download endpoints. Authenticated users with at least low privileges can exploit this vulnerability by supplying an absolute file path in the 'src' parameter of the upload request. Due to insufficient validation and improper restriction of user-supplied paths, the server may relocate or delete arbitrary files on the underlying filesystem depending on the web service user's permissions. Subsequently, the download endpoint can be abused to retrieve the contents of these files, effectively enabling local file disclosure. This vulnerability arises from inadequate input sanitization and weak access control in the backup logic, allowing attackers to read sensitive files or manipulate filesystem objects. Although exploitation requires authentication, no user interaction beyond API requests is needed, and the attack can be performed remotely over the network. The CVSS v4.0 base score is 6.1 (medium severity), reflecting network attack vector, low attack complexity, and partial impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild. The vulnerability poses a risk of sensitive data exposure and potential disruption of CMS operations if critical files are deleted or moved.

For European organizations using Microweber CMS, this vulnerability could lead to unauthorized disclosure of sensitive internal files such as configuration files, credentials, or proprietary data, undermining confidentiality. The ability to relocate or delete files also threatens data integrity and availability, potentially causing service disruptions or data loss. Organizations in sectors with strict data protection regulations (e.g., GDPR) face compliance risks if personal or sensitive data is exposed. Attackers with authenticated access—potentially through compromised user accounts—could leverage this flaw to escalate privileges or prepare further attacks. Given the CMS's role in managing web content, exploitation could also facilitate website defacement or injection of malicious content, damaging reputation and trust. The medium severity score indicates a significant but not critical risk, emphasizing the need for timely remediation to prevent exploitation in environments where Microweber CMS is deployed.

1. Immediate upgrade: Organizations should update Microweber CMS to a version beyond 1.2.11 once a patch addressing CVE-2025-34076 is released. 2. Access control tightening: Restrict access to the backup management API endpoints strictly to trusted administrators and minimize the number of users with backup privileges. 3. Network segmentation: Limit exposure of the CMS backend and API endpoints by placing them behind firewalls or VPNs accessible only to authorized personnel. 4. Input validation: Implement additional web application firewall (WAF) rules to detect and block requests containing suspicious path traversal patterns targeting the 'src' parameter. 5. Monitoring and logging: Enable detailed logging of API calls to /api/BackupV2/upload and /download endpoints and monitor for anomalous file path parameters or unusual file access patterns. 6. Least privilege principle: Ensure the web service user running the CMS has minimal filesystem permissions, preventing unauthorized file deletion or relocation beyond what is necessary. 7. Incident response readiness: Prepare to investigate and remediate any signs of exploitation, including unauthorized file access or modification, and conduct regular security audits of CMS configurations.