CVE-2025-52460 is a medium-severity vulnerability affecting DOS Co., Ltd.'s SS1 product, specifically versions 16.0.0.10 and earlier (including Media version 16.0.0a and earlier) running in Windows environments. The vulnerability allows remote unauthenticated attackers to access files or directories that should not be externally accessible. This includes uploaded files and SS1 configuration files. The vulnerability arises from improper access controls on certain files or directories, enabling attackers to retrieve sensitive information without authentication or user interaction. The CVSS 3.0 base score is 5.3, reflecting a network attack vector with low complexity, no privileges required, and no user interaction needed. The impact is limited to confidentiality, as integrity and availability are not affected. No known exploits are currently reported in the wild, but the exposure of configuration files and uploaded data could lead to information disclosure, potentially aiding further attacks or reconnaissance.

For European organizations using DOS Co., Ltd.'s SS1 product in Windows environments, this vulnerability poses a risk of unauthorized data disclosure. Access to configuration files may reveal sensitive system settings, credentials, or network information, which could facilitate lateral movement or targeted attacks. Uploaded files accessible externally might contain confidential business data or personally identifiable information (PII), leading to privacy violations and regulatory non-compliance under GDPR. Although the vulnerability does not directly impact system integrity or availability, the confidentiality breach can damage organizational reputation, result in financial penalties, and increase exposure to follow-on attacks. Organizations in sectors with strict data protection requirements, such as finance, healthcare, and government, are particularly vulnerable to the consequences of such information leaks.

To mitigate this vulnerability, organizations should first identify all instances of SS1 running on Windows platforms and verify the version. Immediate upgrade to a fixed version beyond 16.0.0.10 or Media version 16.0.0a is recommended once patches are available. In the absence of patches, implement strict network segmentation and firewall rules to restrict external access to SS1 servers, especially limiting HTTP/HTTPS or file-sharing ports. Review and harden file system permissions to ensure that sensitive directories and uploaded files are not publicly accessible. Employ web application firewalls (WAFs) to detect and block unauthorized file access attempts. Conduct regular audits and monitoring of access logs to detect suspicious activity. Additionally, consider encrypting sensitive uploaded files and configuration data at rest to reduce the impact of unauthorized access. Finally, raise user awareness about the risks of uploading sensitive data to vulnerable systems.