CVE-2025-49448 is a high-severity path traversal vulnerability (CWE-22) affecting the FW Food Menu software developed by Fastw3b LLC. This vulnerability allows an attacker to manipulate file path inputs to access files and directories outside the intended restricted directory. The flaw arises from improper limitation of pathname inputs, enabling traversal sequences such as '../' to escape the designated directory boundaries. The vulnerability affects FW Food Menu versions up to 6.0.0, with no specific lower bound version identified. The CVSS 3.1 base score is 8.6, indicating a high severity with the vector AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H. This means the vulnerability is remotely exploitable over the network without any privileges or user interaction, and it results in a complete scope change with a high impact on availability but no impact on confidentiality or integrity. The primary impact is denial of service or disruption of service availability, potentially by accessing or deleting critical files or causing application crashes. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was published on June 27, 2025, and reserved earlier that month. The path traversal issue could allow attackers to interfere with the normal operation of the FW Food Menu application by accessing or manipulating files outside the intended directories, which could lead to service outages or application failures.

For European organizations using FW Food Menu, particularly those in the hospitality and food service sectors, this vulnerability poses a significant risk to service availability. Exploitation could lead to denial of service conditions, disrupting online menu services, ordering systems, or other critical functionalities dependent on FW Food Menu. This disruption could affect customer experience, lead to financial losses, and damage reputation. Since the vulnerability does not impact confidentiality or integrity directly, data breaches or unauthorized data modifications are less likely. However, the availability impact alone can be critical for businesses relying on continuous online presence. Additionally, the vulnerability being remotely exploitable without authentication increases the risk of widespread attacks if the software is exposed to the internet. European organizations with public-facing FW Food Menu installations are particularly vulnerable to such attacks, which could be leveraged by threat actors to cause operational disruptions or as part of larger attack campaigns.

Organizations should immediately audit their use of FW Food Menu software to identify affected versions (up to 6.0.0). Since no patches are currently linked, temporary mitigations include restricting network access to the FW Food Menu application, especially from untrusted networks, using firewalls or network segmentation to limit exposure. Input validation and sanitization should be enforced at the application or web server level to prevent path traversal sequences from being processed. Web application firewalls (WAFs) can be configured to detect and block path traversal attempts. Monitoring logs for unusual file access patterns or errors related to file handling can provide early detection of exploitation attempts. Organizations should engage with Fastw3b LLC for updates on patches or security advisories and plan for prompt application of any released fixes. Additionally, implementing robust backup and recovery procedures will help mitigate the impact of potential availability disruptions caused by exploitation.