CVE-2025-45239 is a medium severity vulnerability identified in the restores method within the DataBackup.php component of foxcms version 2.0.6. The vulnerability is classified as a directory traversal issue (CWE-22), which allows an attacker to manipulate file paths to access directories and files outside the intended scope of the application. Specifically, the flaw exists in the way the restores method processes input, enabling an unauthenticated remote attacker to craft malicious requests that traverse directories on the server. This can lead to unauthorized access to sensitive files, potentially exposing configuration files, credentials, or other critical data stored on the server. The CVSS v3.1 base score is 5.3, reflecting a medium severity level with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating that the vulnerability is remotely exploitable over the network without any privileges or user interaction, and impacts confidentiality but not integrity or availability. No known exploits are currently reported in the wild, and no patches or vendor advisories have been published yet. The vulnerability's impact is limited to information disclosure rather than code execution or denial of service, but the exposure of sensitive data could facilitate further attacks or compromise.

For European organizations using foxcms version 2.0.6, this vulnerability poses a risk of unauthorized disclosure of sensitive information stored on web servers. Such information could include internal configuration files, database credentials, or user data, which attackers could leverage to escalate privileges or conduct targeted attacks. Organizations in sectors with stringent data protection requirements, such as finance, healthcare, and government, may face compliance risks if sensitive data is exposed. The lack of required authentication and user interaction increases the risk profile, as attackers can exploit the vulnerability remotely without any prior access. However, since the vulnerability does not allow code execution or denial of service, the immediate operational impact is limited. Nonetheless, the potential for information leakage could undermine confidentiality and trust, leading to reputational damage and regulatory penalties under GDPR if personal data is involved.

European organizations should proactively audit their web infrastructure to identify deployments of foxcms version 2.0.6 and assess exposure of the DataBackup.php restores method. In the absence of an official patch, organizations can implement input validation and sanitization controls at the web application firewall (WAF) or reverse proxy level to block requests containing directory traversal patterns such as '../' sequences. Restricting file system permissions to limit the web server's access to only necessary directories can reduce the impact of successful traversal attempts. Monitoring web server logs for suspicious access patterns targeting backup or restore endpoints is recommended to detect exploitation attempts. Organizations should also consider isolating or disabling the restores functionality if it is not required. Finally, maintaining an inventory of CMS versions and applying updates promptly when patches become available is critical to long-term risk reduction.