CVE-2025-0472

High

Published: 16 January 2025

Published

16 January 2025

Modified

07 May 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0019 41.0th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Information exposure in the PMB platform affecting versions 4.2.13 and earlier. This vulnerability allows an attacker to upload a file to the environment and enumerate the internal files of a machine by looking at the request response.

Security Summary

CVE-2025-0472 is an information exposure vulnerability in the PMB platform, affecting versions 4.2.13 and earlier. Published on 2025-01-16, the flaw allows an attacker to upload a file to the environment and enumerate internal files on the machine by inspecting the request response. It is linked to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-434 (Unrestricted Upload of File with Dangerous Type), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact.

An unauthenticated attacker (PR:N) can exploit this over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). By uploading a file and analyzing the response, the attacker achieves enumeration of internal files, resulting in significant information disclosure (C:H) without impacting integrity or availability.

The INCIBE-CERT advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-pmb-platform provides details on this and other vulnerabilities in the PMB platform, including recommended mitigations.

Details

CWE(s): CWE-200CWE-434

Affected Products

sigb

pmb

≤ 4.2.13

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-pmb-platform
Third Party Advisory · cve-coordination@incibe.es