CVE-2025-45320 is a directory listing vulnerability identified in the /osms/Requester/ directory of the Kashipara Online Service Management Portal version 1.0. Directory listing vulnerabilities occur when a web server is configured to allow users to view the contents of directories that do not have an index file or proper access restrictions. In this case, an attacker can remotely access the directory listing without any authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). This vulnerability exposes potentially sensitive files and information stored within the directory, which could include configuration files, scripts, logs, or other data that may aid an attacker in further exploitation or reconnaissance. The CVSS score of 7.5 (high severity) reflects the significant confidentiality impact (C:H) while integrity and availability are not affected (I:N/A:N). The vulnerability is classified under CWE-548, which pertains to exposure of directory listings. No patches or fixes are currently available, and there are no known exploits in the wild at this time. However, the ease of exploitation and the potential to gather sensitive information make this a notable risk, especially for organizations relying on the Kashipara Online Service Management Portal for service management operations.

For European organizations using the Kashipara Online Service Management Portal, this vulnerability could lead to unauthorized disclosure of sensitive information, potentially including internal service requests, user data, or system configuration details. Such exposure can facilitate further attacks such as targeted phishing, credential harvesting, or exploitation of other vulnerabilities. The confidentiality breach could undermine customer trust and lead to regulatory non-compliance, particularly under GDPR, which mandates strict controls over personal data exposure. While the vulnerability does not directly impact system integrity or availability, the information leakage could indirectly enable more damaging attacks. Organizations in sectors with high regulatory scrutiny or those managing critical infrastructure services may face heightened risks and potential legal and financial consequences if exploited.

To mitigate this vulnerability, European organizations should immediately review and update the web server configuration hosting the Kashipara Online Service Management Portal to disable directory listing for all directories, especially /osms/Requester/. This can typically be done by setting the 'Options -Indexes' directive in Apache or 'autoindex off;' in Nginx configurations. Additionally, implement strict access controls and authentication mechanisms to restrict directory access to authorized users only. Conduct a thorough audit of the exposed directories to identify and secure any sensitive files. If possible, isolate the portal within a segmented network zone with limited external exposure. Organizations should also monitor web server logs for unusual access patterns to the affected directory and prepare incident response plans in case exploitation attempts are detected. Finally, engage with the vendor or development team to obtain or request patches or updates that address this vulnerability.