CVE-2025-27718
Published: 28 March 2025
Summary
CVE-2025-27718 is a high-severity Path Traversal (CWE-22) vulnerability in Jvn (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 18.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2025-27718 is a path traversal vulnerability (CWE-22) in the file upload process of the USB storage file-sharing function on HGW-BL1500HM firmware versions 002.002.003 and earlier. The flaw allows improper pathname handling during HTTP interactions with the device's LAN-accessible functions, rated at CVSS 8.8.
An authenticated attacker on the local network can send a crafted HTTP request to specific endpoints and read or modify arbitrary files on the device or execute arbitrary code. The attack requires LAN access and valid credentials but no user interaction.
Vendor advisories from KDDI and JVN recommend updating to a fixed firmware version once released and restricting LAN-side access to the affected file-sharing functions until patches are applied. The EPSS score remains flat at 0.0147 with no observed rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8562
Vulnerability details
Improper limitation of a pathname to a restricted directory ('Path Traversal') issue exists in the file upload process of the USB storage file-sharing function of HGW-BL1500HM Ver 002.002.003 and earlier. If this vulnerability is exploited, the product's files may be…
more
obtained and/or altered or arbitrary code may be executed by a crafted HTTP request to specific functions of the product from a device connected to the LAN side.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.