Cyber Resilience

CVE-2023-42225

High

Published: 13 January 2025

Published
13 January 2025
Modified
17 April 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0072 72.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-42225 is a high-severity Path Traversal (CWE-22) vulnerability in Zucchetti Helpdeskadvanced. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 27.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2023-42225 is a directory traversal vulnerability affecting Pat Infinite Solutions HelpdeskAdvanced versions up to and including 11.0.33. The flaw resides in the Attachment/DownloadTempFile function, which allows attackers to access files outside the intended directory by manipulating input parameters, as classified under CWE-22. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity primarily due to confidentiality impacts.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By sending crafted requests to the vulnerable function, they can traverse directories and retrieve arbitrary files from the server, potentially exposing sensitive information such as configuration files, user data, or system details.

The primary reference for this CVE is a listing in a GitLab repository at https://gitlab.com/daniele_m/cve-list/-/blob/main/README.md, which documents the issue but does not provide specific details on patches or mitigation steps in the available information. Security practitioners should verify the vendor for updates beyond version 11.0.33 and implement input validation or restrict access to the affected endpoint as interim measures.

EU & UK References

Vulnerability details

Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Directory Traversal via the Attachment/DownloadTempFile function.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Directory traversal enables arbitrary local file read (T1005); remote unauthenticated exploitation of public-facing app (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2023-42226Same product: Zucchetti Helpdeskadvanced
CVE-2023-42227Same product: Zucchetti Helpdeskadvanced
CVE-2023-42232Same product: Zucchetti Helpdeskadvanced
CVE-2023-42231Same product: Zucchetti Helpdeskadvanced
CVE-2023-42228Same product: Zucchetti Helpdeskadvanced
CVE-2025-12824Shared CWE-22
CVE-2026-49136Shared CWE-22
CVE-2026-25965Shared CWE-22
CVE-2025-30567Shared CWE-22
CVE-2025-27098Shared CWE-22

Affected Assets

zucchetti
helpdeskadvanced
≤ 11.0.33

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates directory traversal by validating and sanitizing input parameters to the Attachment/DownloadTempFile function, preventing path manipulation attacks.

prevent

Remediates the vulnerability by applying vendor patches or upgrades to HelpdeskAdvanced versions beyond 11.0.33, eliminating the flaw in the DownloadTempFile function.

prevent

Deploys boundary protections such as web application firewalls to inspect and block network requests containing directory traversal sequences targeting the vulnerable endpoint.

References