CVE-2025-5160 Overview
CVE-2025-5160 is a path traversal vulnerability [CWE-22] in H3C SecCenter SMP-E1114P02 up to build 20250513. The flaw affects the Download function exposed at the /packetCaptureStrategy/download endpoint. Attackers manipulate the Name argument to traverse the file system and access files outside the intended directory. The vulnerability is remotely exploitable and requires only low-privileged authentication. Public disclosure has occurred, and the vendor did not respond to early notification. H3C SecCenter is a centralized security management platform, making file disclosure on these systems impactful for downstream operations.
Critical Impact
Authenticated remote attackers can read arbitrary files from the H3C SecCenter host by abusing the Name parameter in the packet capture download handler.
Affected Products
- H3C SecCenter SMP-E1114P02 (versions up to 20250513)
- Endpoint affected: /packetCaptureStrategy/download
- Vulnerable parameter: Name
Discovery Timeline
- 2025-05-26 - CVE-2025-5160 published to NVD
- 2025-06-03 - Last updated in NVD database
Technical Details for CVE-2025-5160
Vulnerability Analysis
The vulnerability resides in the Download function handling requests to /packetCaptureStrategy/download. The handler accepts a user-supplied Name argument and uses it to locate a file for download without validating or canonicalizing the path. Attackers supply traversal sequences such as ../ to escape the intended packet capture directory. The server then returns files from arbitrary locations on the underlying file system.
The CWE-22 classification confirms improper limitation of a pathname to a restricted directory. Confidentiality impact is the primary concern, while integrity and availability remain unaffected. Exploitation requires a low-privileged account but no user interaction. The EPSS estimate places exploitation probability in the upper percentile of disclosed vulnerabilities, reflecting active public disclosure of exploitation details.
Root Cause
The Download function fails to sanitize the Name parameter before constructing the target file path. The application does not enforce a base directory restriction, normalize path separators, or reject traversal sequences. This allows attacker-controlled input to dictate the absolute or relative path resolved by the server.
Attack Vector
The attack vector is network-based over the management interface. An authenticated user issues a crafted HTTP request to /packetCaptureStrategy/download with a Name argument containing directory traversal characters. The server reads the targeted file and returns its contents in the response. Refer to the VulDB entry #310248 and the Flowus disclosure for technical disclosure details.
Detection Methods for CVE-2025-5160
Indicators of Compromise
- HTTP requests to /packetCaptureStrategy/download containing ../, ..\, or URL-encoded variants (%2e%2e%2f) in the Name parameter.
- Access log entries showing Name values referencing sensitive paths such as /etc/passwd, /etc/shadow, or Windows system files.
- Unusual outbound file transfers originating from the H3C SecCenter management interface.
Detection Strategies
- Inspect web server and application logs for the /packetCaptureStrategy/download endpoint and flag any Name parameter containing path separators or encoded traversal sequences.
- Deploy web application firewall rules that block requests matching path traversal signatures against the SecCenter management URL.
- Correlate authenticated session activity with anomalous download volume or off-hours file access on the management plane.
Monitoring Recommendations
- Forward H3C SecCenter access logs to a centralized SIEM for retention and rule-based alerting on traversal patterns.
- Baseline normal packetCaptureStrategy usage by legitimate operators and alert on deviations in parameter content.
- Monitor low-privileged account activity against management interfaces for signs of credential abuse.
How to Mitigate CVE-2025-5160
Immediate Actions Required
- Restrict network access to the H3C SecCenter management interface using firewall ACLs that permit only trusted administrator workstations.
- Audit all accounts with access to SecCenter and disable or rotate credentials for unused or shared low-privileged accounts.
- Review historical access logs for prior exploitation attempts against /packetCaptureStrategy/download.
Patch Information
No vendor patch is available. The vendor was contacted prior to public disclosure but did not respond. Monitor the H3C security advisories for future updates and apply any released fixes immediately.
Workarounds
- Place the SecCenter management interface behind a reverse proxy or WAF that strips or rejects traversal sequences in the Name parameter.
- Block direct access to /packetCaptureStrategy/download from untrusted network segments until a vendor patch is released.
- Enforce strict role-based access control to limit which accounts can authenticate to the SecCenter management plane.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
