CVE-2025-9918 is a critical path traversal vulnerability identified in the archive extraction component of Google Cloud's SecOps SOAR Server, affecting versions 6.3.54.0, 6.3.53.2, and all prior releases. This vulnerability arises from improper limitation of pathname inputs (CWE-22), allowing an authenticated attacker with permissions to import Use Cases to craft and upload a malicious ZIP archive containing path traversal sequences (e.g., '../') that bypass directory restrictions during extraction. Exploiting this flaw enables the attacker to write files outside the intended extraction directory, potentially overwriting critical system or application files. This can lead to Remote Code Execution (RCE) without requiring user interaction or elevated privileges beyond import permissions. The CVSS 4.0 base score is 8.7 (high severity), reflecting network attack vector, low attack complexity, no user interaction, and high impact on confidentiality, integrity, and availability. The vulnerability's exploitation scope is limited to authenticated users with import rights, but given the nature of SOAR platforms—used for security orchestration and automation—compromise can have severe consequences, including full system takeover and disruption of security operations. No known exploits are currently reported in the wild, and no patches have been linked yet, emphasizing the need for immediate attention from affected organizations.

For European organizations, the impact of CVE-2025-9918 is significant due to the critical role SOAR platforms play in automating incident response and managing security workflows. Successful exploitation could allow attackers to execute arbitrary code on SOAR servers, potentially compromising sensitive security data, disrupting automated defense mechanisms, and enabling lateral movement within networks. This could lead to data breaches, operational downtime, and erosion of trust in security infrastructure. Given the GDPR and other stringent data protection regulations in Europe, such a compromise could also result in regulatory penalties and reputational damage. Organizations relying on Google SecOps SOAR for centralized security operations, especially in sectors like finance, healthcare, and critical infrastructure, face heightened risk. The requirement for authenticated access somewhat limits exposure but does not eliminate risk, as insider threats or compromised credentials could be leveraged. The absence of known exploits provides a window for proactive mitigation but also necessitates urgent patching once available.

European organizations should immediately audit and restrict import Use Case permissions to trusted administrators only, minimizing the attack surface. Implement strict access controls and multi-factor authentication (MFA) for all users with import privileges to reduce the risk of credential compromise. Monitor logs for unusual ZIP archive uploads or extraction errors indicative of path traversal attempts. Until a patch is released, consider disabling the import functionality if feasible or isolating the SOAR server in a segmented network zone with limited access. Employ file integrity monitoring on the SOAR server to detect unauthorized file changes. Engage with Google Cloud support for updates on patches or workarounds and apply them promptly upon release. Additionally, conduct regular security awareness training to prevent insider threats and credential misuse. Finally, integrate vulnerability scanning and penetration testing focused on SOAR components to identify and remediate similar issues proactively.