CVE-2025-54959

Vulnerability

Overview CVE-2025-54959 is a path traversal vulnerability (CWE-22) affecting Powered BLUE Server versions 0.20130927 and prior. The flaw exists in the handling of file paths, enabling an authenticated user to bypass intended directory restrictions and access files outside the web root. The root cause is insufficient validation of user-supplied input used in file operations.

Exploitation

An attacker must be authenticated to the affected product and have network access. The attack complexity is low, requiring no special privileges beyond a valid account. The vulnerability is exploitable over the network without user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

Impact

Successful exploitation allows an attacker to read arbitrary files on the server, potentially exposing sensitive configuration data, credentials, or other confidential information. The impact is limited to confidentiality (low), with no direct effect on integrity or availability.

Mitigation

The affected product is end-of-life and no longer supported by the vendor. The developer recommends discontinuing use and migrating to the unaffected alternative product, Powered BLUE 890 [2]. No patch is available; users should follow the vendor's guidance to switch to a supported version.