CVE-2025-8749

What is the vulnerability?

CVE-2025-8749 is a path traversal vulnerability affecting the API endpoint in Mobile Industrial Robots (MiR) software prior to version 3.0.0 [1][2]. The root cause lies in insufficient validation of user-supplied file paths, allowing an authenticated attacker to traverse directories and access files outside the intended directory [2].

How is it exploited?

An attacker must first have a valid user account on the MiR robot system [1][2]. With network access to the affected API endpoint, the attacker can craft a request containing path traversal sequences (e.g., ../) to escape the restricted file area and read arbitrary files from the robot's file system [2]. The vulnerability requires authentication, but no special privileges beyond a standard user account [2].

Impact

Successful exploitation leads to unauthorized disclosure of sensitive information stored on the robot, such as configuration files, logs, or other data accessible to the system user [1][2]. The CVSS score of 6.5 (Medium) reflects the confidentiality impact (HIGH) but no direct impact on integrity or availability [2].

Mitigation

MiR has released software version 3.0.0 which addresses this issue; users are advised to update to the latest version [2]. For robots that cannot be immediately updated, restricting network access to authenticated users and monitoring API requests may reduce risk [1][2].