VYPR
← All advisories
Medium severity5.4NVD Advisory· Published Jul 7, 2025· Updated Apr 29, 2026

CVE-2025-7108

CVE-2025-7108

Description

A vulnerability classified as critical was found in risesoft-y9 Digital-Infrastructure up to 9.6.7. Affected by this vulnerability is the function deleteFile of the file /Digital-Infrastructure-9.6.7/y9-digitalbase-webapp/y9-module-filemanager/risenet-y9boot-webapp-filemanager/src/main/java/net/risesoft/y9public/controller/Y9FileController.java. The manipulation of the argument fullPath leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A path traversal vulnerability in risesoft-y9 Digital-Infrastructure up to 9.6.7 allows remote attackers to delete arbitrary files via the deleteFile endpoint.

Root Cause: The deleteFile endpoint in Y9FileController.java lacks proper validation of the fullPath parameter, allowing path traversal sequences such as ../ to escape the intended file storage root directory [1]. This vulnerability affects Digital-Infrastructure versions up to 9.6.7.

Exploitation: An unauthenticated remote attacker can send a POST request to /fileManager/rest/deleteFile with crafted fullPath and fileName parameters. For example, fullPath=/../../target and fileName=info.db would delete a file outside the intended directory [1]. No authentication is required, and the attack can be launched over the network.

Impact: Successful exploitation allows an attacker to delete arbitrary files on the server, potentially causing denial of service, data loss, or disruption of application functionality. The vendor was contacted but did not respond, leaving affected systems without an official patch.

Mitigation: As of the publication date, no patch is available. Users should restrict network access to the vulnerable endpoint, implement input validation for path parameters, or consider upgrading to a patched version if released.

References
  1. cve-proofs/POC-20250621-01.md at main · ShenxiuSec/cve-proofs

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.