CVE-2025-44177
Published: 09 July 2025
Summary
CVE-2025-44177 is a high-severity Path Traversal (CWE-22) vulnerability in Wss Protop. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 7.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SI-10 (Information Input Validation).
Deeper analysis
A directory traversal vulnerability exists in White Star Software Protop version 4.4.2-2024-11-27 within the /pt3upd/ endpoint. The flaw, tracked as CVE-2025-44177 and assigned CWE-22, permits remote retrieval of arbitrary files from the underlying operating system through the use of encoded path traversal sequences. It carries a CVSS 3.1 score of 8.2 reflecting network attack vector, low complexity, and no required authentication or user interaction.
Unauthenticated attackers with network access can exploit the issue to read sensitive files on the host system. The published EPSS score remains flat at 0.0927 with no observed increase after disclosure.
Public references include a technical gist detailing the traversal technique and the vendor site at protop.com, though no specific mitigation guidance or patch information is provided in the available details.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-20833
Vulnerability details
A directory traversal vulnerability was discovered in White Star Software Protop version 4.4.2-2024-11-27, specifically in the /pt3upd/ endpoint. An unauthenticated attacker can remotely read arbitrary files on the underlying OS using encoded traversal sequences.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directory traversal enables remote arbitrary file read from local system (T1005) via exploitation of a public-facing application endpoint (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 mandates input validation at entry points like the /pt3upd/ endpoint to reject or sanitize encoded directory traversal sequences, directly preventing arbitrary file reads.
SI-2 requires timely identification, reporting, and patching of flaws such as the directory traversal vulnerability in Protop version 4.4.2-2024-11-27.
SC-14 restricts unauthorized public access to sensitive information and limits transactions on unauthenticated endpoints like /pt3upd/ to block arbitrary file disclosure.