CVE-2026-0805 is a path traversal vulnerability categorized under CWE-22, found in the Backup Configuration component of Arcadia Technology, LLC's Crafty Controller software, specifically version 4.5.0. The vulnerability arises from improper input neutralization that allows an authenticated attacker to manipulate file path parameters to access or modify files outside the intended restricted directory. This flaw enables attackers to perform unauthorized file tampering and potentially achieve remote code execution (RCE) on the affected system. The attack vector is network-based, requiring low-level privileges and no user interaction, which increases the risk of exploitation in environments where authenticated access is possible. The vulnerability has a CVSS 3.1 base score of 8.2, reflecting high severity due to its impact on confidentiality and integrity, as well as the potential for code execution. Although no public exploits have been reported yet, the nature of the flaw makes it a critical concern for organizations relying on Crafty Controller for automation or control systems. The vulnerability’s exploitation could allow attackers to alter backup configurations, inject malicious code, or disrupt system operations, leading to significant operational and security consequences. The lack of available patches at the time of publication necessitates immediate mitigation efforts to prevent exploitation.

For European organizations, especially those in industrial automation, manufacturing, and critical infrastructure sectors that deploy Crafty Controller 4.5.0, this vulnerability poses a significant risk. Successful exploitation can lead to unauthorized disclosure or modification of sensitive configuration files, undermining system integrity and potentially enabling attackers to execute arbitrary code remotely. This could disrupt operational technology (OT) environments, cause downtime, or facilitate further lateral movement within networks. The confidentiality of backup configurations and related sensitive data is at risk, which may include proprietary or operationally critical information. Given the network-based attack vector and low privilege requirement, attackers who gain authenticated access—potentially through compromised credentials or insider threats—can leverage this vulnerability to escalate privileges or implant persistent threats. The impact extends to regulatory compliance concerns under GDPR and NIS Directive if personal or critical infrastructure data is compromised. The absence of known exploits currently provides a window for proactive defense, but the high severity score underscores the urgency for European entities to act swiftly.

1. Immediately restrict access to the Backup Configuration interface of Crafty Controller to trusted administrators only, using network segmentation and strong access controls. 2. Implement multi-factor authentication (MFA) to reduce the risk of credential compromise leading to authenticated access. 3. Employ strict input validation and sanitization on all file path parameters within the Backup Configuration component to prevent path traversal attempts. 4. Monitor system and application logs for unusual file access patterns or attempts to access directories outside the intended scope. 5. Use host-based intrusion detection systems (HIDS) to detect unauthorized file modifications or suspicious process executions. 6. If possible, isolate Crafty Controller instances from general network access, limiting exposure to only necessary management networks. 7. Engage with Arcadia Technology for updates or patches and apply them promptly once available. 8. Conduct regular security audits and penetration testing focused on path traversal and code injection vectors in the affected environment. 9. Educate administrators on the risks of this vulnerability and best practices for secure configuration management. 10. Consider deploying application-layer firewalls or web application firewalls (WAFs) that can detect and block path traversal payloads targeting the Backup Configuration endpoints.