CVE-2025-58590 is a CWE-22 path traversal vulnerability identified in SICK AG's Baggage Analytics software, which is used primarily in airport baggage handling and analytics systems. The vulnerability arises from improper limitation of pathname inputs, allowing an attacker to brute force directory and file paths beyond the intended restricted directories. This flaw enables unauthorized reading of sensitive files, potentially exposing confidential information such as passenger data, operational logs, or system configurations. The vulnerability requires network access and low privileges (PR:L), but does not require user interaction (UI:N), making it feasible for remote exploitation. The CVSS 3.1 base score of 6.5 reflects a medium severity, driven by high confidentiality impact, no integrity or availability impact, low attack complexity, and no user interaction. No patches or known exploits are currently available, indicating a window of exposure. The vulnerability's exploitation could compromise data confidentiality within critical airport infrastructure, undermining operational security and privacy compliance. The brute force nature of the attack suggests that automated tools could be used to enumerate files, increasing the risk of data leakage over time.

For European organizations, particularly those operating airports and transportation hubs, this vulnerability poses a significant risk to the confidentiality of sensitive operational and passenger data. Exposure of such information could lead to privacy violations under GDPR, reputational damage, and potential regulatory penalties. The ability to access restricted files remotely with low privileges increases the attack surface, especially if network segmentation or access controls are insufficient. Disclosed information could be leveraged for further attacks, including social engineering or targeted intrusions. The lack of integrity or availability impact limits immediate operational disruption but does not diminish the threat to data confidentiality. Organizations relying on SICK AG Baggage Analytics must consider the potential for data breaches and the associated legal and financial consequences within the European regulatory environment.

1. Implement strict input validation and sanitization on all pathname inputs to prevent traversal sequences such as '../'. 2. Enforce robust access control mechanisms to restrict file system access only to authorized users and processes. 3. Monitor file access logs for unusual or repeated attempts to access unauthorized directories or files, indicating brute force path traversal attempts. 4. Segment the network to isolate baggage analytics systems from broader corporate or public networks, limiting exposure. 5. Apply principle of least privilege to service accounts and users interacting with the Baggage Analytics system. 6. Engage with SICK AG for timely patch releases and apply updates as soon as they become available. 7. Conduct regular security assessments and penetration testing focused on file system access controls. 8. Educate security teams on recognizing indicators of path traversal exploitation attempts. 9. Consider deploying web application firewalls or intrusion detection systems with rules to detect path traversal patterns. 10. Prepare incident response plans specific to data leakage scenarios involving baggage handling systems.