CVE-2025-65418

Vulnerability

Overview

The docuFORM Managed Print Service Client version 11.11c contains a directory traversal vulnerability that arises from improper validation or normalization of user-supplied input used to construct file paths. By crafting URL sequences with path traversal patterns (e.g., ../), an attacker can escape the intended restricted directory and access arbitrary files or directories on the underlying file system [2]. This vulnerability is classified under CWE-209 (Information Exposure Through an Error Message), as detailed in the gist published by the researcher [2].

Exploitation and

Attack Surface

The vulnerability can be exploited remotely via unauthenticated requests, meaning no prior authentication or user interaction is required. An attacker only needs network access to the affected service. By sending a specially crafted URL requests containing path traversal sequences to the Managed Print Service Client, the attacker can navigate the file system outside of the application's intended scope [2]. The CVSS v3.1 score of 8.2 (High) reflects the low attack complexity and no required privileges [2].

Impact

Successful exploitation allows an attacker to read sensitive files stored outside the application's intended directory. This includes configuration files, application source code, system files, and user-specific data [2]. Such exposure could lead to further compromise of the affected system or sensitive information disclosure, potentially enabling lateral movement or privilege escalation.

Mitigation and

Disclosure

The vulnerability was reported to the vendor (docuFORM) in October 2025, and the vendor released a fix in November 2025 [2]. Information about the vulnerability was publicly disclosed in April 2026 [2]. Users of docuFORM Managed Print Service Client 11.11c should update to the patched version as soon as possible. The researcher who discovered the vulnerability is Bastian Recktenwald [2].