CVE-2025-1035
published 2025-02-18CVE-2025-1035: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Komtera Technolgies KLog Server allows Manipulating Web Input…
PriorityP344medium5.7CVSS 3.1
AVAACLPRLUINSUCHINAN
EXPLOIT
EPSS
9.75%
94.9th percentile
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Komtera Technolgies KLog Server allows Manipulating Web Input to File System Calls.
This issue affects KLog Server: before 3.1.1.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| komtera_technolgies | klog_server | < 3.1.1 | 3.1.1 |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS KLog Server Directory Traversal Attempt (CVE-2025-1035)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/actions/download.php|3f|action|3d|web|26|file|3d|"; startswith; fast_pattern; pcre:"/^[^\x26]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-1035.yaml; reference:cve,2025-1035; classtype:attempted-admin; sid:2060783; rev:1;)- →Exploit requires authentication first via POST to /actions/entree.php with credentials, followed by a GET to /actions/download.php with a path traversal payload in the 'file' parameter. ↗
- →Successful exploitation returns HTTP 200 with Content-Type 'application/octet-stream' and a 'filename=' header, with the body containing the traversed file content (e.g., matching 'root:.*:0:0:' for /etc/passwd). ↗
- →The Snort/ET rule targets plaintext HTTP only (tls_state plaintext); traversal sequences in the URI use dot-dot patterns including URL-encoded variants (%2e, %2f, %5c). ↗
- →The attack is classified under MITRE ATT&CK T1190 (Exploit Public-Facing Application) / TA0001 (Initial Access); monitor perimeter and internal HTTP traffic for the URI pattern. ↗
- ·Exploitation requires prior authentication (low-privilege credentials); unauthenticated access alone is insufficient to trigger the path traversal. ↗
- ·The ET Snort rule only covers plaintext HTTP traffic (tls_state plaintext); HTTPS-wrapped traffic to KLog Server would not be detected by this signature. ↗
- ·The vulnerability affects KLog Server versions before 3.1.1 only; patched instances (3.1.1+) are not affected. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS KLog Server Directory Traversal Attempt (CVE-2025-1035)
suricata·2025-03-11·CVSS 5.7
CVE-2025-1035 [MEDIUM] ET WEB_SPECIFIC_APPS KLog Server Directory Traversal Attempt (CVE-2025-1035)
ET WEB_SPECIFIC_APPS KLog Server Directory Traversal Attempt (CVE-2025-1035)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS KLog Server Directory Traversal Attempt (CVE-2025-1035)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/actions/download.php|3f|action|3d|web|26|file|3d|"; startswith; fast_pattern; pcre:"/^[^\x26]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-1035.yaml; reference:cve,2025-1035; classtype:attempted-admin; sid:2060783; rev:1; metadata:affected_product KLog_Server, attack_target Web_Server, tls_state plaintext, created_at 2025_03_11, cve CVE_2025_1035, deployment Perimeter, deployment Internal, performance_i
Nuclei
KLog Server - Path Traversal
nuclei·CVSS 5.7
CVE-2025-1035 [MEDIUM] KLog Server - Path Traversal
KLog Server - Path Traversal
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Komtera Technolgies KLog Server allows Manipulating Web Input to File System Calls.This issue affects KLog Server: before 3.1.1.
Template:
id: CVE-2025-1035
info:
name: KLog Server - Path Traversal
author: s4e-io
severity: medium
description: |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Komtera Technolgies KLog Server allows Manipulating Web Input to File System Calls.This issue affects KLog Server: before 3.1.1.
impact: |
Authenticated attackers can exploit path traversal vulnerabilities to read arbitrary files from the KLog Server, potentially exposing sensitive system files, configuration data, and stored lo
No writeups or analysis indexed.
2025-02-18
Published