CVE-2025-65074 is a vulnerability classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The flaw exists in the WaveStore Server's handling of commands issued via the WaveView client, specifically in the showerr script. Although the client is designed to allow execution of a restricted set of predefined commands, the server fails to properly sanitize pathname inputs, enabling path traversal attacks. This allows a high-privileged attacker to escape the intended directory restrictions and execute arbitrary operating system commands on the server. The vulnerability does not require user interaction and does not allow privilege escalation beyond the existing high privileges, but it does allow full control over the server OS environment. The CVSS 4.0 base score is 8.6, indicating high severity, with network attack vector, low attack complexity, no authentication required beyond high privileges, and high impact on confidentiality, integrity, and availability. The vulnerability was publicly disclosed on December 16, 2025, and fixed in WaveStore Server version 6.44.44. No known exploits have been reported in the wild yet, but the potential impact is significant given the ability to execute arbitrary OS commands remotely.

For European organizations, this vulnerability poses a serious risk to the confidentiality, integrity, and availability of critical systems running WaveStore Server. Successful exploitation could lead to unauthorized data access, data manipulation, or complete system compromise. Organizations in sectors such as finance, healthcare, telecommunications, and critical infrastructure that rely on WaveStore Server for storage or data management could experience operational disruption or data breaches. The ability to execute arbitrary OS commands remotely could facilitate lateral movement within networks, data exfiltration, or deployment of ransomware. Given the high privileges required, insider threats or compromised administrative accounts are the most likely vectors. The lack of known exploits currently provides a window for proactive patching and mitigation before widespread attacks occur.

1. Immediately upgrade all WaveStore Server instances to version 6.44.44 or later where the vulnerability is patched. 2. Restrict administrative access to WaveStore Server to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication. 3. Implement strict input validation and sanitization on all client-server interactions, especially those involving command execution or file path inputs. 4. Limit the privileges of the WaveView client and the showerr script to the minimum necessary to operate, employing the principle of least privilege. 5. Monitor server logs for unusual command execution patterns or unauthorized access attempts. 6. Segment networks to isolate WaveStore Servers from less trusted network zones, reducing exposure to potential attackers. 7. Conduct regular security audits and vulnerability assessments focusing on command injection and path traversal vectors. 8. Educate administrators about the risks of high-privilege account compromise and enforce timely credential rotation.