CVE-2025-59744 is a high-severity path traversal vulnerability identified in AndSoft's e-TMS version 25.03. The vulnerability arises from improper limitation of a pathname to a restricted directory (CWE-22) within the web application, specifically in the handling of the “docurl” parameter in the endpoint “/lib/asp/DOCSAVEASASP.ASP”. This flaw allows an unauthenticated remote attacker to manipulate the “docurl” parameter to access arbitrary files located within the web root directory of the server. Although the attacker cannot traverse outside the web root, this still exposes sensitive files that may contain configuration data, source code, or other information that could facilitate further attacks. The vulnerability has a CVSS 4.0 base score of 8.7, reflecting its high impact and ease of exploitation, as it requires no authentication or user interaction and can be triggered remotely over the network. The vulnerability does not affect files outside the web root, which somewhat limits the scope, but the confidentiality impact is high due to potential exposure of sensitive information. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was reserved on 2025-09-19 and published on 2025-10-02 by INCIBE, indicating recent discovery and disclosure. The technical vector indicates network attack vector, low attack complexity, no privileges or user interaction required, and high confidentiality impact without affecting integrity or availability.

For European organizations using AndSoft e-TMS v25.03, this vulnerability poses a significant risk to confidentiality. Attackers could access sensitive files within the web root, potentially exposing configuration files, credentials, or proprietary business information. This could lead to further compromise, such as privilege escalation or lateral movement within the network. Given that e-TMS is a transportation management system, exposure of operational data could disrupt logistics and supply chain processes, impacting business continuity and causing financial losses. The lack of authentication requirement increases the risk of automated scanning and exploitation attempts. Although the vulnerability does not allow access beyond the web root, the information disclosure alone can be leveraged for targeted attacks. European organizations in sectors relying heavily on logistics and transportation management, such as manufacturing, retail, and distribution, are particularly vulnerable. Additionally, regulatory frameworks like GDPR impose strict data protection requirements, and exposure of personal or sensitive data through this vulnerability could lead to compliance violations and penalties.

Organizations should immediately audit their use of AndSoft e-TMS v25.03 and restrict access to the vulnerable endpoint “/lib/asp/DOCSAVEASASP.ASP” via web application firewalls (WAF) or network access controls to trusted IPs only. Implement strict input validation and sanitization on the “docurl” parameter to prevent path traversal sequences such as '../'. Until a vendor patch is released, consider deploying virtual patching rules in WAFs to detect and block exploitation attempts. Conduct thorough file permission reviews to ensure sensitive files within the web root are not accessible or contain minimal sensitive information. Monitor web server logs for suspicious requests targeting the vulnerable parameter. Engage with AndSoft for timely patch updates and apply them promptly once available. Additionally, implement network segmentation to isolate the e-TMS system from critical infrastructure and sensitive data repositories to limit potential lateral movement in case of compromise.