MEDIUM 6.5

CVE-2018-25421: Open STA Manager 2.3 Path Traversal File Download Vulnerability

Open STA Manager version 2.3 has a security flaw that allows authenticated users to download files they shouldn't have access to. An attacker with valid login credentials can manipulate web requests to trick the application into retrieving sensitive system files, such as configuration files or data stored outside the intended application directory. The vulnerability exists in the backup module and exploits how the application handles file path requests.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-22
Affected products
0 configuration(s)
Published / Modified
2026-05-30 / 2026-06-17

NVD description (verbatim)

Open STA Manager 2.3 contains a path traversal vulnerability that allows authenticated users to download arbitrary files by manipulating the file parameter. Attackers can send GET requests to modules/backup/actions.php with op=getfile and traverse directories using ../ sequences to access sensitive system files.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2018-25421 is a path traversal vulnerability (CWE-22) in Open STA Manager 2.3 affecting the modules/backup/actions.php endpoint. When processing GET requests with the op=getfile parameter, the application fails to adequately sanitize the file parameter, permitting directory traversal sequences (../) to escape the intended download directory. An authenticated attacker can construct requests that traverse the filesystem hierarchy to access arbitrary files readable by the application process. The CVSS 3.1 score of 6.5 (MEDIUM) reflects authentication as a prerequisite, network-accessible attack surface, and confidentiality impact with no integrity or availability compromise.

Business impact

This vulnerability primarily threatens confidentiality. Authenticated users—whether legitimate staff whose credentials were compromised or insider threats—can exfiltrate sensitive data including system configuration files, database connection strings, API keys, or other application secrets. The impact depends on what sensitive data resides on the same server and what the application process can read. Organizations using Open STA Manager for backup operations face heightened risk of data leakage if backups or configuration data are stored in accessible locations.

Affected systems

Open STA Manager version 2.3 is confirmed affected. No vendor or product alternatives were specified in the available advisory data. Organizations running this version should audit their deployments. Verify the exact version through application settings or version checking endpoints, and confirm whether any patches or subsequent releases have been issued by the Open STA Manager maintainers.

Exploitability

Exploitation requires valid authentication credentials, which raises the barrier to opportunistic attacks but does not eliminate risk from insider threats or compromised accounts. Once authenticated, crafting a malicious request is straightforward—no special tools, user interaction, or complex conditions are needed. The attack is network-accessible and leaves minimal footprint. The moderate CVSS score reflects this balance: real but not trivial to exploit in practice.

Remediation

Immediately apply any available patches from the Open STA Manager project. If no patch exists, implement compensating controls: restrict file download functionality to authenticated users with administrative privilege, monitor access logs for ../ sequences or unusual file parameter values in modules/backup/actions.php requests, and consider disabling the backup download feature if not operationally necessary. Conduct access reviews for any Open STA Manager user accounts and rotate credentials for accounts with suspicious access patterns.

Patch guidance

Check the official Open STA Manager release notes and repository for version 2.4 or later, or security advisories that confirm a fix. Apply patches according to the vendor's instructions and test thoroughly in a staging environment before production rollout. If patching is delayed, enforce the network segmentation and access controls listed under remediation_summary to limit attack surface.

Detection guidance

Monitor web server logs for GET requests to modules/backup/actions.php containing the op=getfile parameter combined with ../ sequences in the file parameter. Search for patterns like file=../../ or file=../../../etc/passwd. Log all backup downloads, including the user account, timestamp, and requested file path. Consider deploying a Web Application Firewall (WAF) rule to block requests to that endpoint containing directory traversal patterns. Alert on any failed authentication attempts followed by successful downloads, which may indicate credential compromise.

Why prioritize this

Although CVSS scores a MEDIUM 6.5, prioritization should reflect your actual data sensitivity and authentication posture. If sensitive system files, credentials, or customer data are stored on the same server, prioritize patching within 30 days. If user account compromise is common in your environment, treat this higher. The presence of authentication reduces the risk surface compared to unauthenticated flaws, but insider risk and compromised accounts are real threats.

Risk score, explained

CVSS 3.1/6.5 reflects: Network-accessible attack vector (AV:N) with low attack complexity (AC:L), requiring low privilege via login (PR:L), no user interaction (UI:N), and impact confined to confidentiality (C:H/I:N/A:N). The mandatory authentication prerequisite prevents the score from reaching 9.0+, but the high confidentiality impact prevents it from falling below 6.0. In your context, adjust based on how many employees have Open STA Manager access and whether sensitive files reside on the server.

Frequently asked questions

Do I need to be an administrator to exploit this vulnerability?

No. Any authenticated user of Open STA Manager can attempt the attack, not just administrators. This widens the risk if user accounts are shared, compromised, or belong to disgruntled employees.

What files could an attacker access?

An attacker can access any file that the web server process has permission to read. This typically includes application configuration files, database credentials, private keys, backup files, and potentially system files like /etc/passwd on Linux systems. The exact scope depends on file permissions and deployment architecture.

Is there a workaround if I cannot patch immediately?

Yes. Disable or restrict access to the modules/backup/actions.php endpoint via web server configuration or firewall rules. Limit backup download functionality to a specific IP range or VPN. Implement strong authentication and monitor for suspicious access patterns. These are temporary measures only—patching is the proper fix.

Why isn't this vulnerability on the CISA KEV catalog?

Not all vulnerabilities are actively exploited in the wild or meet CISA's other inclusion criteria. Lack of KEV status does not mean the vulnerability is low-risk in your environment; prioritize based on your actual exposure and data sensitivity.

This analysis is based on publicly available information as of the publication date. Verify all patch version numbers and remediation steps against official vendor advisories before implementation. No exploit code or weaponized proof-of-concept is provided. Security risk and business impact vary by organization; tailor prioritization to your specific deployment, data sensitivity, and threat model. This page is for informational purposes and does not constitute professional security advice. Consult your security team and vendor documentation for definitive guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).