cbcvebase.
CVE-2025-1035
published 2025-02-18

CVE-2025-1035: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Komtera Technolgies KLog Server allows Manipulating Web Input…

PriorityP344medium5.7CVSS 3.1
AVAACLPRLUINSUCHINAN
EXPLOIT
EPSS
9.75%
94.9th percentile
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Komtera Technolgies KLog Server allows Manipulating Web Input to File System Calls. This issue affects KLog Server: before 3.1.1.

Affected

1 ranges
VendorProductVersion rangeFixed in
komtera_technolgiesklog_server< 3.1.13.1.1

Detection & IOCsextracted from sources · hover to see the quote

url/actions/download.php?action=web&file=../../../etc/passwd
path/actions/download.php
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS KLog Server Directory Traversal Attempt (CVE-2025-1035)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/actions/download.php|3f|action|3d|web|26|file|3d|"; startswith; fast_pattern; pcre:"/^[^\x26]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-1035.yaml; reference:cve,2025-1035; classtype:attempted-admin; sid:2060783; rev:1;)
  • Exploit requires authentication first via POST to /actions/entree.php with credentials, followed by a GET to /actions/download.php with a path traversal payload in the 'file' parameter.
  • Successful exploitation returns HTTP 200 with Content-Type 'application/octet-stream' and a 'filename=' header, with the body containing the traversed file content (e.g., matching 'root:.*:0:0:' for /etc/passwd).
  • The Snort/ET rule targets plaintext HTTP only (tls_state plaintext); traversal sequences in the URI use dot-dot patterns including URL-encoded variants (%2e, %2f, %5c).
  • The attack is classified under MITRE ATT&CK T1190 (Exploit Public-Facing Application) / TA0001 (Initial Access); monitor perimeter and internal HTTP traffic for the URI pattern.
  • ·Exploitation requires prior authentication (low-privilege credentials); unauthenticated access alone is insufficient to trigger the path traversal.
  • ·The ET Snort rule only covers plaintext HTTP traffic (tls_state plaintext); HTTPS-wrapped traffic to KLog Server would not be detected by this signature.
  • ·The vulnerability affects KLog Server versions before 3.1.1 only; patched instances (3.1.1+) are not affected.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.