CVE-2025-45890 is a directory traversal vulnerability identified in the software product 'novel plus' versions prior to 5.1.0. This vulnerability allows a remote attacker to manipulate the 'filePath' parameter to traverse directories outside the intended scope, potentially accessing and executing arbitrary code on the affected system. Directory traversal vulnerabilities exploit insufficient input validation or sanitization of file path parameters, enabling attackers to access restricted files or directories by using relative path components such as '../'. In this case, the vulnerability escalates beyond mere file disclosure to arbitrary code execution, indicating that the attacker can upload or execute malicious payloads remotely without authentication. The absence of a CVSS score and lack of known exploits in the wild suggest this is a newly disclosed vulnerability. However, the ability to execute arbitrary code remotely without authentication makes it a critical security issue. The lack of patch information implies that either a patch is forthcoming or users must apply mitigations until an official fix is released. The vulnerability's exploitation vector is remote, and it does not require user interaction, increasing the risk of automated exploitation attempts. The technical details confirm the vulnerability was reserved in April 2025 and published in June 2025, indicating recent discovery and disclosure. The absence of CWE classification limits detailed categorization, but the nature of the flaw aligns with CWE-22 (Path Traversal) and CWE-94 (Code Injection) due to arbitrary code execution capabilities.

For European organizations, the impact of CVE-2025-45890 can be severe. Organizations using 'novel plus' software prior to version 5.1.0 are at risk of remote compromise, potentially leading to full system takeover. This can result in unauthorized access to sensitive data, disruption of services, and the deployment of further malware or ransomware. Critical infrastructure, financial institutions, healthcare providers, and government agencies using this software are particularly vulnerable due to the potential for data breaches and operational disruption. The ability to execute arbitrary code remotely without authentication amplifies the threat, as attackers can automate exploitation and pivot within networks. Additionally, the lack of known exploits currently does not diminish the risk, as threat actors often develop exploits rapidly after public disclosure. The vulnerability could also be leveraged in targeted attacks against high-value European entities, especially those with strategic importance or handling critical data. The impact extends to reputational damage, regulatory penalties under GDPR for data breaches, and potential financial losses from downtime or remediation efforts.

1. Immediate upgrade: Organizations should prioritize upgrading 'novel plus' to version 5.1.0 or later once available. 2. Input validation: Until patches are applied, implement web application firewalls (WAFs) with custom rules to detect and block directory traversal patterns in the 'filePath' parameter. 3. Network segmentation: Isolate systems running vulnerable versions to limit lateral movement in case of compromise. 4. Access controls: Restrict file system permissions for the application to the minimum necessary, preventing execution of unauthorized code. 5. Monitoring and detection: Deploy intrusion detection systems (IDS) and monitor logs for suspicious access patterns or attempts to exploit the 'filePath' parameter. 6. Incident response readiness: Prepare and test incident response plans specifically for remote code execution scenarios. 7. Vendor engagement: Maintain communication with the software vendor for timely patch releases and advisories. 8. Application hardening: Disable unnecessary functionalities that accept file path inputs if feasible, reducing the attack surface. 9. User awareness: Educate administrators about the vulnerability and signs of exploitation to enhance early detection.