SATO CL4NX-J Plus path traversal

Vulnerability

A path traversal vulnerability exists in SATO CL4NX-J Plus firmware version 1.13.2-u455_r2. The issue resides in the /rest/dir/ endpoint, where the full parameter is not properly sanitized. An attacker can manipulate this parameter to traverse directories outside the intended scope. The vulnerability has been publicly disclosed and assigned VDB-241028 [1].

Exploitation

An attacker must be on the same local network as the affected device. No authentication is required. By sending a crafted HTTP request to /rest/dir/ with a full parameter containing path traversal sequences (e.g., ../), the attacker can access files outside the web root. The exploit has been demonstrated in a public proof-of-concept [1].

Impact

Successful exploitation allows an unauthenticated attacker to read arbitrary files from the printer's filesystem. This can lead to disclosure of sensitive information such as configuration files, credentials, or other data stored on the device. The impact is limited to information disclosure; no remote code execution or privilege escalation is indicated in the available references [1].

Mitigation

As of the publication date, no official patch or firmware update has been released by SATO to address this vulnerability. Users should restrict network access to the printer to trusted devices only, and monitor for vendor updates. The device may be considered end-of-life or unsupported; contacting SATO support is recommended. No workaround is provided in the disclosed references [1].