CVE-2023-25289
Published: 04 May 2023
Summary
CVE-2023-25289 is a high-severity Path Traversal (CWE-22) vulnerability in Virtualreception Digital Reciptie. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 5.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-25289 is a directory traversal vulnerability, tracked as CWE-22, that affects the embedded web server component of virtualreception Digital Receptie version win7sp1_rtm.101119-1850 6.1.7601.1.0.65792. The flaw allows an attacker to access sensitive information by submitting a specially crafted GET request to the server.
An unauthenticated remote attacker can exploit the issue over the network without any privileges or user interaction, achieving disclosure of confidential files stored on the affected system. The vulnerability is rated 7.5 under CVSS 3.1, driven by its network attack vector, low complexity, and high confidentiality impact.
Public exploit code for the issue has been posted to Exploit-DB, but the supplied references contain no details on vendor patches, workarounds, or mitigation guidance. The associated EPSS probability has remained essentially flat near 0.15–0.16 with no material upward trajectory after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-29251
Vulnerability details
Directory Traversal vulnerability in virtualreception Digital Receptie version win7sp1_rtm.101119-1850 6.1.7601.1.0.65792 in embedded web server, allows attacker to gain sensitive information via a crafted GET request.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.