CVE-2025-5159 Overview
CVE-2025-5159 is a path traversal vulnerability [CWE-22] in H3C SecCenter SMP-E1114P02 builds up to 20250513. The flaw resides in the Download function exposed through the /cfgFile/1/download endpoint. An authenticated remote attacker can manipulate the Name parameter to traverse directories and retrieve arbitrary files from the host filesystem. The exploit has been publicly disclosed, and the vendor did not respond to disclosure attempts. The vulnerability impacts confidentiality on the affected appliance.
Critical Impact
Remote attackers with low-privileged access can read arbitrary files from the H3C SecCenter appliance through the Name parameter of the /cfgFile/1/download endpoint.
Affected Products
- H3C SecCenter SMP-E1114P02 (builds up to 20250513)
- Configuration file download component (/cfgFile/1/download)
- The Download function processing the Name argument
Discovery Timeline
- 2025-05-26 - CVE-2025-5159 published to NVD
- 2025-06-03 - Last updated in NVD database
Technical Details for CVE-2025-5159
Vulnerability Analysis
The vulnerability is a classic path traversal weakness in the configuration file download handler of H3C SecCenter SMP-E1114P02. The /cfgFile/1/download endpoint accepts a Name parameter that identifies the file to be returned. The server fails to canonicalize the supplied value or restrict it to a designated configuration directory. As a result, traversal sequences such as ../ are honored when constructing the final filesystem path.
Attackers reach the endpoint over the network and require only low-privileged authentication to invoke it. Successful exploitation returns arbitrary file contents to the requester, exposing configuration data, credentials stored on disk, and other sensitive material. The EPSS probability of 0.751% places this issue in the 73rd percentile for near-term exploitation likelihood, and a public proof-of-concept has been referenced in VulDB entry 310247.
Root Cause
The root cause is the absence of input validation and path canonicalization in the Download handler. The application concatenates the user-supplied Name value into a filesystem path without normalizing .. segments or enforcing a base directory allowlist. This violates the secure file access pattern required by CWE-22.
Attack Vector
The attack is initiated remotely over HTTP/HTTPS against the management interface. An attacker sends a crafted GET request to /cfgFile/1/download with a Name parameter containing relative path traversal sequences. The server resolves the path outside the intended configuration directory and returns the contents of the targeted file. No user interaction is required, and exploitation does not depend on chained vulnerabilities. The vendor has not released a patch or acknowledged the report.
No verified code examples are available for this vulnerability. Technical details are referenced in the public Flowus disclosure and the VulDB CTI record.
Detection Methods for CVE-2025-5159
Indicators of Compromise
- HTTP requests to /cfgFile/1/download containing ..%2f, ../, or encoded traversal sequences in the Name parameter.
- Outbound responses from the SecCenter appliance returning files outside the configuration directory, such as /etc/passwd or system credential stores.
- Unexpected access to the download endpoint from unfamiliar source IPs or service accounts.
Detection Strategies
- Inspect web server and reverse-proxy access logs for Name parameter values containing path traversal patterns.
- Deploy WAF or IDS signatures that flag traversal sequences directed at the /cfgFile/1/ URI namespace.
- Correlate authentication events with subsequent downloads from /cfgFile/1/download to identify low-privileged accounts retrieving abnormal file paths.
Monitoring Recommendations
- Forward H3C SecCenter access and authentication logs to a centralized SIEM for retention and pattern analysis.
- Alert on anomalous response sizes from /cfgFile/1/download that deviate from baseline configuration file transfers.
- Track repeated 200 OK responses to the download endpoint from a single session, which may indicate file enumeration.
How to Mitigate CVE-2025-5159
Immediate Actions Required
- Restrict network access to the SecCenter management interface using firewall rules or VPN-only access until a vendor fix is published.
- Rotate any credentials, API keys, or certificates that may reside on the appliance filesystem and could have been exfiltrated.
- Audit existing accounts on SecCenter and remove or disable unused low-privilege accounts that could be leveraged to reach the endpoint.
Patch Information
The vendor was contacted prior to public disclosure but did not respond, and no official patch is currently available. Operators should monitor H3C security advisories for updated firmware releases addressing the Download function in /cfgFile/1/download.
Workarounds
- Block external requests to the /cfgFile/1/download URI at an upstream reverse proxy or web application firewall.
- Apply WAF rules to reject any Name parameter value containing .., %2e%2e, or absolute path prefixes.
- Place the appliance behind a jump host and limit administrative access to a defined IP allowlist.
# Example NGINX reverse proxy rule blocking traversal attempts
location /cfgFile/1/download {
if ($arg_Name ~* "(\.\./|\.\.\\|%2e%2e|/etc/|/root/)") {
return 403;
}
proxy_pass https://seccenter.internal;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
