CVE-2025-34320: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in BASIS International Ltd. BASIS BBj
CVE-2025-34320 is a critical path traversal vulnerability in BASIS International Ltd. 's BASIS BBj product versions prior to 25. 00. The flaw exists in a Jetty-served web endpoint that does not properly validate or canonicalize input path segments, allowing unauthenticated attackers to read arbitrary files accessible to the service account. Sensitive configuration files containing credentials for BBj Enterprise Manager can be exposed, enabling attackers to gain administrative access and execute system commands with the service account's privileges. The impact varies depending on the operating system and service account privileges, potentially exposing confidential OS or application data. The vulnerability has a CVSS 4. 0 score of 9. 3, indicating critical severity with network attack vector, no required authentication or user interaction, and high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild.
AI Analysis
Technical Summary
CVE-2025-34320 is a critical security vulnerability classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, commonly known as path traversal) affecting BASIS International Ltd.'s BASIS BBj software versions prior to 25.00. The vulnerability arises from a Jetty-served web endpoint that fails to properly validate or canonicalize input path segments, allowing an unauthenticated attacker to craft directory traversal sequences (e.g., ../) to access arbitrary files on the server filesystem that are accessible by the BBj service account. Exploiting this flaw enables attackers to read sensitive configuration files, which may include credentials for the BBj Enterprise Manager. With these credentials, attackers can gain administrative access to the management interface and leverage legitimate management functions to execute arbitrary system commands under the service account's privileges. The severity of the impact depends on the operating system and the privilege level of the BBj service account; higher privileges could lead to full system compromise or exposure of additional sensitive OS and application data. The vulnerability has a CVSS 4.0 base score of 9.3, reflecting its critical nature with network attack vector, low attack complexity, no authentication or user interaction required, and high impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the potential for severe damage makes this a high-priority issue for affected organizations. The vulnerability was published on November 20, 2025, and no official patches were listed at the time of this report, emphasizing the need for immediate mitigation strategies.
Potential Impact
For European organizations, the impact of CVE-2025-34320 can be severe, particularly for those relying on BASIS BBj for enterprise application development and management. Successful exploitation can lead to unauthorized disclosure of sensitive configuration data, including administrative credentials, which in turn can enable full administrative control over the BBj Enterprise Manager. This can result in execution of arbitrary commands on the host system, potentially leading to data breaches, system disruption, or lateral movement within the network. Confidentiality is at high risk due to exposure of sensitive files; integrity and availability are also threatened by the possibility of command execution and system manipulation. Organizations in sectors such as finance, manufacturing, and government that use BASIS BBj may face operational disruptions, regulatory compliance issues (e.g., GDPR violations due to data exposure), and reputational damage. The unauthenticated nature of the vulnerability increases the risk of widespread exploitation, especially if the affected systems are accessible from untrusted networks or the internet.
Mitigation Recommendations
1. Immediate network-level controls: Restrict access to the BASIS BBj Jetty-served web endpoint to trusted internal networks or VPNs only, using firewalls or network segmentation to reduce exposure. 2. Monitor and audit: Implement enhanced logging and monitoring of access to the BBj web endpoint and related management interfaces to detect suspicious activities or unauthorized access attempts. 3. Credential management: Rotate any exposed credentials for BBj Enterprise Manager and related systems as soon as possible to limit the impact of potential compromise. 4. Principle of least privilege: Ensure the BBj service account runs with the minimal necessary privileges to limit the scope of damage if exploited. 5. Patch management: Apply official patches or updates from BASIS International Ltd. as soon as they become available. In the absence of patches, consider temporary mitigations such as disabling the vulnerable web endpoint if feasible. 6. Incident response readiness: Prepare incident response plans specifically addressing potential exploitation scenarios of this vulnerability, including containment and recovery procedures. 7. Vulnerability scanning: Use internal vulnerability scanning tools to identify instances of BASIS BBj versions prior to 25.00 and prioritize remediation efforts accordingly.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Belgium
CVE-2025-34320: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in BASIS International Ltd. BASIS BBj
Description
CVE-2025-34320 is a critical path traversal vulnerability in BASIS International Ltd. 's BASIS BBj product versions prior to 25. 00. The flaw exists in a Jetty-served web endpoint that does not properly validate or canonicalize input path segments, allowing unauthenticated attackers to read arbitrary files accessible to the service account. Sensitive configuration files containing credentials for BBj Enterprise Manager can be exposed, enabling attackers to gain administrative access and execute system commands with the service account's privileges. The impact varies depending on the operating system and service account privileges, potentially exposing confidential OS or application data. The vulnerability has a CVSS 4. 0 score of 9. 3, indicating critical severity with network attack vector, no required authentication or user interaction, and high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild.
AI-Powered Analysis
Technical Analysis
CVE-2025-34320 is a critical security vulnerability classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, commonly known as path traversal) affecting BASIS International Ltd.'s BASIS BBj software versions prior to 25.00. The vulnerability arises from a Jetty-served web endpoint that fails to properly validate or canonicalize input path segments, allowing an unauthenticated attacker to craft directory traversal sequences (e.g., ../) to access arbitrary files on the server filesystem that are accessible by the BBj service account. Exploiting this flaw enables attackers to read sensitive configuration files, which may include credentials for the BBj Enterprise Manager. With these credentials, attackers can gain administrative access to the management interface and leverage legitimate management functions to execute arbitrary system commands under the service account's privileges. The severity of the impact depends on the operating system and the privilege level of the BBj service account; higher privileges could lead to full system compromise or exposure of additional sensitive OS and application data. The vulnerability has a CVSS 4.0 base score of 9.3, reflecting its critical nature with network attack vector, low attack complexity, no authentication or user interaction required, and high impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the potential for severe damage makes this a high-priority issue for affected organizations. The vulnerability was published on November 20, 2025, and no official patches were listed at the time of this report, emphasizing the need for immediate mitigation strategies.
Potential Impact
For European organizations, the impact of CVE-2025-34320 can be severe, particularly for those relying on BASIS BBj for enterprise application development and management. Successful exploitation can lead to unauthorized disclosure of sensitive configuration data, including administrative credentials, which in turn can enable full administrative control over the BBj Enterprise Manager. This can result in execution of arbitrary commands on the host system, potentially leading to data breaches, system disruption, or lateral movement within the network. Confidentiality is at high risk due to exposure of sensitive files; integrity and availability are also threatened by the possibility of command execution and system manipulation. Organizations in sectors such as finance, manufacturing, and government that use BASIS BBj may face operational disruptions, regulatory compliance issues (e.g., GDPR violations due to data exposure), and reputational damage. The unauthenticated nature of the vulnerability increases the risk of widespread exploitation, especially if the affected systems are accessible from untrusted networks or the internet.
Mitigation Recommendations
1. Immediate network-level controls: Restrict access to the BASIS BBj Jetty-served web endpoint to trusted internal networks or VPNs only, using firewalls or network segmentation to reduce exposure. 2. Monitor and audit: Implement enhanced logging and monitoring of access to the BBj web endpoint and related management interfaces to detect suspicious activities or unauthorized access attempts. 3. Credential management: Rotate any exposed credentials for BBj Enterprise Manager and related systems as soon as possible to limit the impact of potential compromise. 4. Principle of least privilege: Ensure the BBj service account runs with the minimal necessary privileges to limit the scope of damage if exploited. 5. Patch management: Apply official patches or updates from BASIS International Ltd. as soon as they become available. In the absence of patches, consider temporary mitigations such as disabling the vulnerable web endpoint if feasible. 6. Incident response readiness: Prepare incident response plans specifically addressing potential exploitation scenarios of this vulnerability, including containment and recovery procedures. 7. Vulnerability scanning: Use internal vulnerability scanning tools to identify instances of BASIS BBj versions prior to 25.00 and prioritize remediation efforts accordingly.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2025-04-15T19:15:22.585Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 691f3714b661599aeb20f31a
Added to database: 11/20/2025, 3:43:16 PM
Last enriched: 11/27/2025, 4:45:41 PM
Last updated: 1/7/2026, 6:43:58 AM
Views: 62
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-14804: CWE-73 External Control of File Name or Path in Frontend File Manager Plugin
HighCVE-2025-14719: CWE-89 SQL Injection in Relevanssi
HighCVE-2025-14835: CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in opajaap WP Photo Album Plus
HighCVE-2026-0650: CWE-306 Missing Authentication for Critical Function in OpenFlagr Flagr
CriticalCVE-2025-15474: CWE-770 Allocation of Resources Without Limits or Throttling in AuntyFey AuntyFey Smart Combination Lock
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.