CVE-2025-11337

Vulnerability

Overview

CVE-2025-11337 is an arbitrary file read vulnerability in the Four-Faith Water Conservancy Informatization Platform up to version 2.2. The flaw resides in the /aloneReport/index.do/../../aloneReport/download.do endpoint, where the fileName parameter is processed without proper validation. This allows directory traversal sequences (e.g., ../) to be injected, enabling an attacker to read arbitrary files from the server [1].

Exploitation

The vulnerability can be exploited remotely without authentication. A crafted GET request to the vulnerable endpoint with a manipulated fileName parameter, such as ../WEB-INF/classes/web.properties, triggers the path traversal. The exploit is publicly available and has been demonstrated against a live test environment [1].

Impact

Successful exploitation allows an unauthenticated attacker to read sensitive files from the server, including configuration files (e.g., web.properties), potentially exposing credentials, database connection strings, and other confidential data. This could lead to further compromise of the application and underlying infrastructure [1].

Mitigation

The vendor was contacted but did not respond. No official patch or workaround has been released. Users should consider restricting access to the vulnerable endpoint via network controls or upgrading to a patched version if one becomes available. The vulnerability is publicly known and should be prioritized for remediation [1].