CVE-2025-41428 is a path traversal vulnerability identified in Keiyo System Co., LTD's TimeWorks software versions 10.0 through 10.3. This vulnerability arises due to improper limitation of pathname inputs, allowing an attacker to manipulate file path parameters to access files outside the intended restricted directories. Specifically, a remote unauthenticated attacker can exploit this flaw to view arbitrary JSON files stored on the server. Since the vulnerability does not require any authentication or user interaction and can be exploited remotely over the network, it presents a significant risk of unauthorized information disclosure. The vulnerability's CVSS 3.0 base score is 5.3, indicating a medium severity level. The impact is limited to confidentiality, as the attacker can read sensitive JSON data but cannot modify files or disrupt availability. No known exploits are currently reported in the wild, and no patches or mitigation links have been published yet. The vulnerability affects TimeWorks versions 10.0 to 10.3, which is a time management or workforce-related software product developed by Keiyo System Co., LTD. The technical root cause is the failure to properly sanitize or restrict file path inputs, enabling directory traversal attacks that bypass intended access controls.

For European organizations using TimeWorks versions 10.0 to 10.3, this vulnerability could lead to unauthorized disclosure of sensitive JSON files stored on the server. These files may contain configuration data, user information, scheduling details, or other business-critical information depending on how the software is deployed. Exposure of such data could facilitate further attacks, including social engineering, reconnaissance, or targeted exploitation of other systems. While the vulnerability does not allow modification or deletion of data, the confidentiality breach alone could violate data protection regulations such as GDPR, leading to legal and reputational consequences. Organizations in sectors with high privacy requirements, such as healthcare, finance, or government, may face increased risks. Additionally, since the vulnerability requires no authentication, it can be exploited by external attackers without insider access, increasing the attack surface. The lack of known exploits in the wild currently reduces immediate risk, but the medium severity rating and ease of exploitation warrant prompt attention.

To mitigate CVE-2025-41428, European organizations should first identify all instances of TimeWorks versions 10.0 to 10.3 in their environment. Until an official patch is released by Keiyo System Co., LTD, organizations should implement compensating controls such as network-level restrictions to limit access to the TimeWorks server only to trusted internal IP addresses or VPN users. Web application firewalls (WAFs) can be configured to detect and block path traversal attack patterns in HTTP requests. Additionally, administrators should review and restrict file permissions on the server to minimize exposure of sensitive JSON files. Monitoring and logging access to these files can help detect suspicious activity. Organizations should engage with the vendor for patch availability and apply updates promptly once released. Conducting a thorough security assessment of TimeWorks deployments and isolating the application from critical network segments can further reduce risk. Finally, educating IT staff about this vulnerability and ensuring incident response plans are updated to address potential exploitation scenarios will enhance preparedness.