CVE-2018-25408: Open ISES Project Path Traversal Vulnerability (High Severity)
A vulnerability in Open ISES Project version 3.30A allows anyone on the internet to download files from an affected server without needing to log in. An attacker can craft a specially formatted request to the ajax/download.php endpoint that uses path traversal techniques (such as ../ sequences) to escape the intended download directory and retrieve sensitive files like configuration files, database backups, or system files. The vulnerability requires no authentication, no special user interaction, and can be exploited over the network.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-22
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-30 / 2026-06-17
NVD description (verbatim)
The Open ISES Project 3.30A contains a path traversal vulnerability in the ajax/download.php endpoint that allows unauthenticated attackers to download arbitrary files by manipulating the filename parameter. Attackers can supply directory traversal sequences ../ in the filename parameter to access files outside the intended directory, including configuration files and system files.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2018-25408 is a CWE-22 path traversal vulnerability in the Open ISES Project 3.30A ajax/download.php endpoint. The vulnerability stems from insufficient input validation on the filename parameter, which fails to properly sanitize or block directory traversal sequences. An unauthenticated attacker can supply malicious filename values containing ../ sequences to traverse outside the intended download directory structure and access arbitrary files readable by the web server process. This results in unauthorized information disclosure of sensitive files, including application configuration, credentials, and system-level data.
Business impact
Compromise of sensitive files stored on affected servers could lead to exposure of database credentials, API keys, application secrets, and other configuration data. This disclosure may enable follow-on attacks such as lateral movement, privilege escalation, or further system compromise. Organizations running Open ISES Project 3.30A may face regulatory or compliance violations if customer data, personally identifiable information, or other protected data is accessed through this vulnerability. The lack of authentication requirements and low complexity make this a broadly exploitable risk for any internet-facing instance.
Affected systems
Open ISES Project version 3.30A is confirmed vulnerable. Organizations should verify whether they are running this version or any other version of Open ISES Project, as the scope of affected versions should be confirmed through vendor advisories. Any instance exposed to network access should be considered at risk.
Exploitability
This vulnerability is highly exploitable in real-world conditions. It requires no authentication, no special privileges, and no user interaction. An attacker needs only to craft HTTP requests with manipulated filename parameters containing path traversal sequences and send them over the network to the ajax/download.php endpoint. The attack surface is large because the endpoint is typically accessible without login, and the technique is straightforward and well-understood in the security community.
Remediation
Organizations should immediately apply a security patch from the Open ISES Project vendor if one is available. Patch guidance should be verified against the official vendor advisory. Until a patch can be applied, implement network-level controls to restrict access to the ajax/download.php endpoint (via web application firewall rules or reverse proxy configuration), disable or remove the vulnerable endpoint if not critical to operations, and restrict the web server process to a minimal set of file permissions. Conduct a file integrity check and review web server access logs for suspicious requests to the download.php endpoint to detect potential exploitation.
Patch guidance
Check the Open ISES Project vendor advisory and security releases for patches addressing this path traversal vulnerability. Apply updates according to your change management procedures and test thoroughly in a non-production environment first. Verify the fix by confirming that path traversal sequences in the filename parameter are now rejected or properly sanitized. Restart affected web services after patch deployment.
Detection guidance
Monitor web server access logs for suspicious patterns in requests to ajax/download.php, including: unusual filename parameter values containing ../ sequences, repeated attempts to access files in parent directories, and requests from unexpected source IP addresses. Deploy web application firewall (WAF) rules to block requests containing path traversal patterns (../, ..), or use rate limiting on the download endpoint. Implement file integrity monitoring on sensitive configuration files to detect unauthorized access. Search historical logs for evidence of prior exploitation attempts.
Why prioritize this
This vulnerability scores HIGH (CVSS 7.5) and presents a critical confidentiality risk. It is network-exploitable without authentication, has low attack complexity, and directly leads to unauthorized disclosure of sensitive files. The lack of complexity and lack of prerequisites make it a natural target for automated scanning and opportunistic attacks. Any internet-facing instance should be patched or mitigated as a priority. The vulnerability is not yet listed on CISA's KEV catalog, but that does not diminish its real-world risk.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) reflects: network-based attack vector (AV:N), low attack complexity (AC:L), no privilege requirements (PR:N), no user interaction needed (UI:N), and significant confidential impact (C:H). The score does not account for integrity or availability impact because the vulnerability is limited to unauthorized information disclosure. This baseline should be elevated in your risk assessment if your organization stores highly sensitive data (credentials, PII, proprietary information) on systems running this software, or if the affected server is internet-facing or accessible from untrusted networks.
Frequently asked questions
Can an attacker modify or delete files, or shut down the service?
No. This vulnerability is limited to unauthorized disclosure (reading) of files. The CVSS score reflects a confidentiality impact only; integrity and availability are not compromised by this flaw. However, files disclosed might contain credentials or system information that enable further attacks.
Do we need to be authenticated to exploit this vulnerability?
No. This is an unauthenticated vulnerability. Any attacker with network access to the ajax/download.php endpoint can attempt exploitation without any login credentials or valid user account.
How can we tell if we've been exploited?
Review web server access logs (typically access.log or similar) for requests to ajax/download.php with unusual filename parameters containing path traversal sequences like ../ or absolute paths. Check file integrity logs or backup audit trails for unexpected access to sensitive files. If you have a WAF, review its blocked or allowed request logs. Consult forensic analysis for file access timestamps if data exfiltration is suspected.
Is there a patch available yet?
Verify the current status with the Open ISES Project vendor advisory and official security bulletins. This write-up does not include specific patch version numbers; always source those directly from the vendor to ensure you deploy the correct update for your environment.
This analysis is provided for informational and educational purposes. SEC.co does not provide legal, compliance, or investment advice. Organizations must verify all vulnerability details, including affected versions and patch availability, directly through official vendor advisories and security bulletins before making operational decisions. The absence of a CVE from CISA's KEV catalog does not indicate lower risk; organizations should conduct their own risk assessments based on their specific infrastructure, data sensitivity, and threat landscape. Test all patches and mitigations in non-production environments before deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2024-40646HIGHVertex Path Traversal Vulnerability – Remote File Access Risk
- CVE-2026-10108HIGHUnauthenticated Path Traversal in xiaomusic v0.5.7 – File Read Vulnerability
- CVE-2026-32847HIGHDeepCode Path Traversal Allows Unauthenticated Arbitrary File Read
- CVE-2026-35082HIGHMBS Solutions Gateway Firmware Path Traversal - File Access Vulnerability
- CVE-2026-39276HIGHEmlog Pro v2.6.9 Path Traversal Remote Code Execution
- CVE-2026-43624HIGHF5-TTS Path Traversal Vulnerability (CVSS 8.2)
- CVE-2026-44594HIGHLocal File Inclusion in esm.sh CDN – HIGH Severity Information Disclosure
- CVE-2026-45017HIGHPython Liquid Path Traversal Allows Arbitrary File Read