CVE-2025-64235 is a path traversal vulnerability classified under CWE-22 affecting AmentoTech's Tuturn software versions before 3.6. Path traversal vulnerabilities occur when an application improperly restricts user-supplied file path inputs, allowing attackers to access files and directories outside the intended scope. In this case, an authenticated user with low privileges can manipulate file path parameters to read arbitrary files on the server. The vulnerability does not require user interaction beyond authentication and does not impact data integrity or system availability. The CVSS v3.1 score is 6.5 (medium), reflecting network attack vector, low attack complexity, and partial privileges required. No public patches or known exploits exist yet, but the vulnerability poses a risk of sensitive data exposure. The issue was reserved in late October 2025 and published in December 2025. Organizations using Tuturn should prepare to apply vendor patches and implement input validation controls to mitigate this threat.

For European organizations, this vulnerability primarily threatens confidentiality by enabling unauthorized access to sensitive files, potentially exposing personal data, intellectual property, or configuration files containing credentials. Sectors such as finance, healthcare, government, and critical infrastructure that rely on Tuturn for collaboration or workflow management could face data breaches leading to regulatory penalties under GDPR and reputational damage. Although the vulnerability does not affect system integrity or availability, the exposure of confidential information can facilitate further attacks or espionage. The requirement for low privilege authentication limits the attack surface but does not eliminate risk, especially in environments with many users or weak credential management. The absence of known exploits provides a window for proactive mitigation before active exploitation occurs.

1. Immediately audit and restrict file path inputs in Tuturn configurations and custom integrations to prevent traversal sequences (e.g., '../'). 2. Enforce the principle of least privilege for user accounts to minimize access scope. 3. Monitor logs for unusual file access patterns or attempts to access restricted directories. 4. Apply vendor patches promptly once available for version 3.6 or later. 5. Consider deploying Web Application Firewalls (WAFs) with rules to detect and block path traversal attempts targeting Tuturn endpoints. 6. Conduct regular security assessments and penetration tests focusing on file handling functionalities. 7. Educate users about secure authentication practices to reduce compromised credentials risk. 8. Isolate critical systems running Tuturn in segmented network zones to limit lateral movement if exploited.