CVE-2025-51539

EzGED3 3.5.0 contains an unauthenticated arbitrary file read vulnerability due to improper access control and insufficient input validation in a script exposed via the web interface. A remote attacker can supply a crafted path parameter to a PHP script to read arbitrary files from the filesystem. The script lacks both authentication checks and secure path handling, allowing directory traversal attacks (e.g., ../../../) to access sensitive files such as configuration files, database dumps, source code, and password reset tokens. If phpMyAdmin is exposed, extracted credentials can be used for direct administrative access. In environments without such tools, attacker-controlled file reads still allow full database extraction by targeting raw MySQL data files. The vendor states that the issue is fixed in 3.5.72.27183.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://ballpoint.fr/en/blog/ezged3-preauth-file-read-admin-takeover	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:ezged:ezged3:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-08-19 16:15

Updated : 2025-10-07 21:06

NVD link : CVE-2025-51539

Mitre link : CVE-2025-51539

CVE.ORG link : CVE-2025-51539

JSON object : View

Products Affected

ezged

ezged3

CWE

CWE-284

Improper Access Control

{"id": "CVE-2025-51539", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2025-08-19T16:15:28.560", "references": [{"url": "https://ballpoint.fr/en/blog/ezged3-preauth-file-read-admin-takeover", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "EzGED3 3.5.0 contains an unauthenticated arbitrary file read vulnerability due to improper access control and insufficient input validation in a script exposed via the web interface. A remote attacker can supply a crafted path parameter to a PHP script to read arbitrary files from the filesystem. The script lacks both authentication checks and secure path handling, allowing directory traversal attacks (e.g., ../../../) to access sensitive files such as configuration files, database dumps, source code, and password reset tokens. If phpMyAdmin is exposed, extracted credentials can be used for direct administrative access. In environments without such tools, attacker-controlled file reads still allow full database extraction by targeting raw MySQL data files. The vendor states that the issue is fixed in 3.5.72.27183."}, {"lang": "es", "value": "EzGED3 3.5.0 contiene una vulnerabilidad de lectura arbitraria de archivos sin autenticaci\u00f3n debido a un control de acceso inadecuado y una validaci\u00f3n de entrada insuficiente en un script expuesto a trav\u00e9s de la interfaz web. Un atacante remoto puede proporcionar un par\u00e1metro de ruta manipulado a un script PHP para leer archivos arbitrarios del sistema de archivos. El script carece de comprobaciones de autenticaci\u00f3n y gesti\u00f3n de rutas seguras, lo que permite ataques de salto de directorio (p. ej., ../../../) para acceder a archivos sensibles como archivos de configuraci\u00f3n, volcados de bases de datos, c\u00f3digo fuente y tokens de restablecimiento de contrase\u00f1a. Si phpMyAdmin est\u00e1 expuesto, las credenciales extra\u00eddas pueden usarse para acceso administrativo directo. En entornos sin estas herramientas, las lecturas de archivos controladas por el atacante permiten la extracci\u00f3n completa de la base de datos al dirigirse a archivos de datos MySQL sin procesar. El proveedor afirma que el problema est\u00e1 corregido en la versi\u00f3n 3.5.72.27183."}], "lastModified": "2025-10-07T21:06:21.957", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ezged:ezged3:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4F2EBF8C-9423-4584-BE72-D2CCA1D38C6C", "versionEndExcluding": "3.5.72.27183", "versionStartIncluding": "3.5.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}