CVE-2025-8749 is a CWE-22 path traversal vulnerability identified in the API endpoint of Mobile Industrial Robots (MiR) software versions prior to 3.0.0. This vulnerability allows an authenticated user with low privileges to craft specially designed API requests that bypass pathname restrictions and access arbitrary files on the robot's file system. The flaw arises from improper limitation of pathname inputs, enabling traversal outside intended directories. Exploitation does not require user interaction but does require authentication, which lowers the attack complexity but limits the attacker to insiders or compromised accounts. The vulnerability impacts confidentiality by exposing potentially sensitive files stored on the robot, such as configuration files, logs, or credentials, but does not affect integrity or availability of the system. The CVSS 3.1 base score is 6.5, reflecting network attack vector, low attack complexity, required privileges, no user interaction, and high confidentiality impact. No public exploits or active exploitation have been reported yet. MiR robots are widely used in industrial automation and logistics, making this vulnerability relevant for organizations relying on robotic process automation. The lack of a patch link suggests a fix is forthcoming in version 3.0.0 or later. Until patched, the vulnerability poses a risk of sensitive data leakage to authenticated users.

For European organizations deploying MiR robots in manufacturing, warehousing, or logistics, this vulnerability presents a risk of unauthorized disclosure of sensitive information stored on the robots. Confidential data such as operational logs, system configurations, or credentials could be extracted by malicious insiders or attackers who have gained authentication credentials. This could lead to further compromise of the robotic infrastructure or intellectual property theft. While the vulnerability does not allow system disruption or data modification, the confidentiality breach could undermine trust in automation systems and expose organizations to compliance risks under GDPR if personal or sensitive data is involved. The impact is particularly significant for industries with high automation adoption, including automotive, pharmaceuticals, and electronics manufacturing prevalent in Europe. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially given the increasing targeting of industrial control and automation systems by threat actors.

1. Upgrade MiR robots to software version 3.0.0 or later as soon as the patch is released to address the path traversal vulnerability. 2. Restrict API access strictly to trusted and authenticated users, implementing strong authentication mechanisms such as multi-factor authentication to reduce the risk of credential compromise. 3. Monitor API usage logs for unusual or unauthorized file access attempts that could indicate exploitation attempts. 4. Implement network segmentation to isolate robotic systems from general enterprise networks, limiting exposure to potential attackers. 5. Conduct regular security audits and vulnerability assessments of robotic systems and their management interfaces. 6. Educate staff with access to MiR robots about the importance of credential security and recognizing suspicious activities. 7. If immediate patching is not possible, consider disabling or restricting the vulnerable API endpoints if feasible, or applying compensating controls such as file system access restrictions at the OS level.