CVE-2025-41428

Vulnerability

Details

CVE-2025-41428 is a path traversal vulnerability (CWE-22) found in the web server module of TimeWorks versions 10.0 through 10.3, developed by Keiyo System Co., LTD. The issue stems from improper limitation of a pathname to a restricted directory, which enables an attacker to bypass access controls and read files outside the intended directories [1][2].

Exploitation

The vulnerability can be exploited remotely by an unauthenticated attacker over the network. No authentication or special privileges are required, and the attack complexity is low. By crafting a malicious request that includes path traversal sequences (e.g., '../'), an attacker can navigate the server's filesystem and access JSON files that should not be publicly exposed [1].

Impact

Successful exploitation allows the attacker to view arbitrary JSON files stored on the server. While the confidentiality impact is limited to JSON files and does not extend to other file types, it could still lead to disclosure of sensitive configuration data, user information, or other confidential data stored in JSON format. There is no impact on integrity or availability [1].

Mitigation

The vendor, Keiyo System Co., LTD, has released a patch for the web server module. Users of TimeWorks versions 10.0 to 10.3 are advised to apply the patch according to the developer's instructions. The disclosure was coordinated by JPCERT/CC, and the vulnerability was reported by Masamu Asato of GMO Cybersecurity by Ierae, Inc. [1][2].