CVE-2025-5161 Overview
CVE-2025-5161 is a path traversal vulnerability [CWE-22] affecting H3C SecCenter SMP-E1114P02 versions up to build 20250513. The flaw resides in the operationDailyOut function within the /safeEvent/download endpoint. Attackers can manipulate the filename argument to traverse directories and access files outside the intended download path. The attack is launchable remotely over the network and requires low-privileged authentication. The exploit details have been disclosed publicly, increasing the risk of opportunistic exploitation. The vendor was contacted prior to disclosure but did not respond.
Critical Impact
Authenticated remote attackers can read arbitrary files from the H3C SecCenter SMP-E1114P02 server filesystem by abusing the filename parameter in /safeEvent/download.
Affected Products
- H3C SecCenter SMP-E1114P02 (builds up to 20250513)
- Vulnerable endpoint: /safeEvent/download
- Vulnerable function: operationDailyOut
Discovery Timeline
- 2025-05-26 - CVE-2025-5161 published to NVD
- 2025-06-03 - Last updated in NVD database
Technical Details for CVE-2025-5161
Vulnerability Analysis
The vulnerability is a classic path traversal weakness in the daily-operation export workflow of H3C SecCenter SMP-E1114P02. The operationDailyOut handler accepts a user-supplied filename argument through the /safeEvent/download endpoint and uses it to construct a filesystem path without proper canonicalization or sanitization. By supplying traversal sequences such as ../, an attacker can break out of the expected download directory and retrieve files located elsewhere on the server. Successful exploitation results in disclosure of arbitrary files readable by the web application process, which may include configuration files, log files, or credentials cached by the security management platform. The attack vector is network-based and requires only low-level privileges, making it accessible to any authenticated user of the management console.
Root Cause
The root cause is improper limitation of a pathname to a restricted directory [CWE-22]. The filename parameter is concatenated into a filesystem path without validation that the resolved path remains inside the intended export directory. No allow-list of permitted files, no normalization, and no rejection of traversal sequences are enforced before the file is opened and streamed back to the client.
Attack Vector
An authenticated attacker sends an HTTP request to /safeEvent/download with a crafted filename argument containing directory traversal sequences. The operationDailyOut function resolves the path relative to the export directory, follows the traversal, opens the targeted file, and returns its contents in the HTTP response. Because the disclosure is public and no vendor patch has been released, exploitation tooling is likely to appear in opportunistic scans of internet-exposed H3C SecCenter deployments.
No verified proof-of-concept code is available in trusted sources. Refer to the VulDB entry #310249 and the Flowus Security Share for additional technical context.
Detection Methods for CVE-2025-5161
Indicators of Compromise
- HTTP requests to /safeEvent/download containing ../, ..\, URL-encoded variants (%2e%2e%2f), or double-encoded traversal sequences in the filename parameter.
- Web server access logs showing successful 200 responses to /safeEvent/download requests where the filename value references paths outside the expected export directory.
- Outbound file transfers from the H3C SecCenter host immediately following anomalous /safeEvent/download activity.
Detection Strategies
- Deploy web application firewall (WAF) rules that inspect the filename query parameter on /safeEvent/download for traversal patterns and reject requests containing path separators or encoded equivalents.
- Create SIEM correlation rules joining authentication events with /safeEvent/download requests to identify low-privileged accounts performing file exports against unusual paths.
- Baseline normal export filenames in the environment and alert on any filename value that does not match the expected pattern.
Monitoring Recommendations
- Forward H3C SecCenter web access logs and application logs to a centralized log platform for retention and search.
- Monitor for spikes in /safeEvent/download request volume, especially from a single account or source IP.
- Track read access to sensitive files on the SecCenter host such as /etc/passwd, /etc/shadow, application configuration files, and database credential stores.
How to Mitigate CVE-2025-5161
Immediate Actions Required
- Restrict network access to the H3C SecCenter SMP-E1114P02 management interface to trusted administrative networks only, removing any internet exposure.
- Audit recent access logs for /safeEvent/download requests containing traversal characters and investigate any matches as potential compromise.
- Rotate credentials, API keys, and certificates that may have been readable from the SecCenter filesystem if exploitation is suspected.
- Apply principle of least privilege to SecCenter accounts to limit the number of users who can reach the vulnerable endpoint.
Patch Information
No vendor patch is currently referenced in the NVD entry. H3C did not respond to the original disclosure. Monitor the VulDB advisory and official H3C security bulletins for an updated firmware or hotfix release, and apply it as soon as it becomes available.
Workarounds
- Place a reverse proxy or WAF in front of the SecCenter web interface and block requests to /safeEvent/download that contain .., %2e%2e, or absolute path indicators in the filename parameter.
- Disable or firewall the daily-operation export feature if it is not required for business operations.
- Enforce strong authentication and multi-factor authentication on all SecCenter accounts to raise the bar for the low-privilege precondition.
# Example nginx rule to block traversal patterns on the vulnerable endpoint
location /safeEvent/download {
if ($arg_filename ~* "(\.\.|%2e%2e|/etc/|\\)") {
return 403;
}
proxy_pass http://h3c_seccenter_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
