CVE-2025-68916
Published: 24 December 2025
Description
Riello UPS NetMan 208 Application before 1.12 allows cgi-bin/certsupload.cgi /../ directory traversal for file upload with resultant code execution.
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates directory traversal in file uploads by validating inputs like /../ sequences in the certsupload.cgi endpoint.
Restricts file upload paths to authorized directories only, blocking traversal to arbitrary locations.
Remediates the vulnerability by patching the application to version 1.12 or later as specified in the advisory.
Security SummaryAI
CVE-2025-68916 is a directory traversal vulnerability affecting the Riello UPS NetMan 208 Application in versions before 1.12. The issue resides in the cgi-bin/certsupload.cgi endpoint, which permits path traversal via /../ sequences during file uploads, enabling arbitrary file placement and resultant remote code execution. It is classified under CWE-25 (Path Traversal: '.../...') and CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
The vulnerability can be exploited by a privileged user (PR:H) over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows the attacker to upload malicious files to arbitrary locations, leading to code execution on the target system. This results in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), compounded by a change in scope (S:C) that amplifies the attack surface.
Mitigation details are available in the advisory published at https://github.com/gerico-lab/riello-multiple-vulnerabilities-2025, which covers this and related Riello vulnerabilities.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directory traversal in web CGI endpoint enables arbitrary file upload and RCE on network-accessible application, directly facilitating exploitation of public-facing applications.