CVE-2025-65075 is a path traversal vulnerability classified under CWE-22 found in the WaveStore Server product. The vulnerability exists because the WaveView client allows execution of a limited set of predefined commands and scripts on the connected WaveStore Server, specifically through the 'alog' script. However, the input to this script is not properly sanitized or restricted, enabling an attacker with high privileges on the system to manipulate the pathname and traverse directories outside the intended restricted directory. This allows the attacker to read or delete arbitrary files on the server with the permissions of the 'dvr' user, which is the user context under which the server operates. The vulnerability does not require user interaction and can be exploited remotely over the network, but it does require the attacker to already have high privileges on the system, limiting the initial attack vector. The CVSS v4.0 score is 5.1 (medium severity), reflecting the moderate impact on confidentiality and integrity, with no impact on availability. The vulnerability affects all versions prior to 6.44.44, where the issue has been fixed. No public exploits or active exploitation have been reported to date. The vulnerability highlights the risk of insufficient input validation and improper restriction of file system paths in server-side scripts, which can lead to unauthorized file system access and potential data compromise or deletion.

For European organizations, exploitation of this vulnerability could lead to unauthorized disclosure or deletion of sensitive files on WaveStore Server systems, potentially disrupting video recording or surveillance data integrity if used in security or monitoring contexts. Since the attacker must have high privileges, the vulnerability primarily elevates the impact of insider threats or lateral movement after initial compromise. Confidentiality and integrity of data managed by the WaveStore Server could be compromised, affecting compliance with data protection regulations such as GDPR if personal or sensitive data is involved. Operational disruption could occur if critical files are deleted, impacting business continuity. Organizations relying on WaveStore Server for video storage or related services in sectors like public safety, transportation, or critical infrastructure may face increased risk. The lack of known exploits reduces immediate threat but patching remains essential to prevent future attacks, especially in environments with multiple users or complex access controls.

Organizations should immediately upgrade WaveStore Server installations to version 6.44.44 or later where the vulnerability is fixed. Until patching is possible, restrict access to the WaveView client and WaveStore Server to trusted administrators only, minimizing the number of users with high privileges. Implement strict access controls and monitoring on the 'dvr' user account and related file system permissions to detect and prevent unauthorized file access or deletion. Employ network segmentation and firewall rules to limit exposure of WaveStore Server to untrusted networks. Conduct regular audits of server logs to identify suspicious command executions or file operations related to the alog script. Additionally, review and harden input validation mechanisms in custom scripts or integrations with WaveStore Server to prevent similar path traversal issues. Incorporate these controls into incident response plans to quickly address any signs of exploitation.