CVE-2025-1035

CVE-2025-1035 is an Improper Limitation of a Pathname to a Restricted Directory vulnerability, classified under CWE-22 (Path Traversal), affecting Komtera Technologies KLog Server versions prior to 3.1.1. The flaw arises from insufficient validation of web inputs passed to file system calls, enabling attackers to traverse directory boundaries and access files outside intended paths. Published on 2025-02-18 with a CVSS v3.1 base score of 5.7 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N), it poses a moderate risk primarily due to its high confidentiality impact.

Exploitation requires an attacker to have low privileges (PR:L) and access to the adjacent network (AV:A), with low attack complexity and no user interaction needed. Successful attacks allow unauthorized reading of sensitive files (high confidentiality impact) but do not enable modification or denial of service.

Mitigation is addressed in KLog Server version 3.1.1, as detailed in the vendor's release notes at https://www.klogserver.com/surum-notlari/3-1-1/. Additional guidance is provided in the USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0037, recommending immediate updates for affected systems.