cbcvebase.
CVE-2014-125125
published 2025-07-31

CVE-2014-125125: A path traversal vulnerability exists in A10 Networks AX Loadbalancer versions 2.6.1-GR1-P5, 2.7.0, and earlier. The vulnerability resides in the handling of…

PriorityP265high8.8CVSS 4.0
AVNACLATNPRNUINVCHVILVALSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.93%
77.5th percentile
A path traversal vulnerability exists in A10 Networks AX Loadbalancer versions 2.6.1-GR1-P5, 2.7.0, and earlier. The vulnerability resides in the handling of the filename parameter in the /xml/downloads endpoint, which fails to properly sanitize user input. An unauthenticated attacker can exploit this flaw by sending crafted HTTP requests containing directory traversal sequences to read arbitrary files outside the intended directory. The files returned by the vulnerable endpoint are deleted from the system after retrieval. This can lead to unauthorized disclosure of sensitive information such as SSL certificates and private keys, as well as unintended file deletion.

Affected

1 ranges
VendorProductVersion rangeFixed in
a10_networksax_series_loadbalancer<= 2.6.1-GR1-P5

Detection & IOCsextracted from sources · hover to see the quote

url/xml/downloads
path/xml/downloads
  • Monitor HTTP requests to the /xml/downloads endpoint containing directory traversal sequences (e.g., '../') in the 'filename' parameter from unauthenticated sources.
  • Alert on requests to /xml/downloads where the 'filename' parameter traverses outside the virtual directory; exploitation also causes the requested file to be deleted from the device after retrieval.
  • Flag exploitation attempts targeting SSL certificate and private key paths via the filename parameter on A10 Networks AX Loadbalancer devices (hardware and VM appliances).
  • The Metasploit auxiliary module for this CVE requires CONFIRM_DELETE to be set to 'true', which can serve as a behavioral indicator when scanning for exploitation tooling or scripts targeting this endpoint.
  • ·Exploitation is unauthenticated — no credentials are required to trigger the path traversal via the filename parameter.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.