Full Report
CERT Polska has received a report about 3 vulnerabilities (from CVE-2025-65074 to CVE-2025-65076) found in WaveStore Server software.
Analysis Summary
As a vulnerability research specialist, here is the summary of the reported security flaws in WaveStore Server software.
***
# Vulnerability: Multiple Path Traversal Flaws in WaveStore Server
## CVE Details
The advisory details three distinct vulnerabilities, all stemming from Path Traversal weaknesses:
| CVE ID | CVSS Score | Severity | CWE |
| :--- | :--- | :--- | :--- |
| CVE-2025-65074 | Not Specified | Not Specified | CWE-22 (Path Traversal) |
| CVE-2025-65075 | Not Specified | Not Specified | CWE-22 (Path Traversal) |
| CVE-2025-65076 | Not Specified | Not Specified | CWE-22 (Path Traversal) |
*Note: CVSS scores were not provided in the source material.*
## Affected Systems
- **Products:** WaveStore Server
- **Versions:** All versions prior to **6.44.44**
- **Configurations:** Affects systems utilizing the WaveView client communicating with the WaveStore Server, specifically when utilizing the `showerr`, `alog`, and `ilog` scripts.
## Vulnerability Description
These vulnerabilities are all instances of **Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) (CWE-22)** within scripts executed by the WaveView client on the WaveStore Server. These flaws allow a high-privilege attacker to manipulate script execution paths:
1. **CVE-2025-65074 (`showerr` script):** Allows an attacker to execute **arbitrary OS commands** on the server.
2. **CVE-2025-65075 (`alog` script):** Allows an attacker to **read or delete files** on the server, with permissions matching the `dvr` user.
3. **CVE-2025-65076 (`ilog` script):** Allows an attacker to **read or delete any file** on the server, critically being executed with **root privileges**.
## Exploitation
- **Status:** Information regarding exploitation in the wild is **Not specified**.
- **PoC Availability:** Not explicitly mentioned, but the detailed description suggests high exploitability for researchers familiar with path traversal.
- **Complexity:** Requires **High privileges** to leverage these vulnerabilities (indicating the attacker must already have significant access to the WaveView client interface).
- **Attack Vector:** The interaction is through the WaveView client/server communication model.
## Impact
| Impact | Level | Notes |
| :--- | :--- | :--- |
| Confidentiality | High | Due to the ability to read files, potentially including sensitive configuration or system data (especially with CVE-2025-65076). |
| Integrity | High | Ability to delete files (CVE-2025-65075, CVE-2025-65076) and execute arbitrary OS commands (CVE-2025-65074). |
| Availability | High | Command execution and file deletion can lead to system instability or denial of service conditions. |
## Remediation
### Patches
- **Fixed Versions:** Resolution is available starting from **WaveStore Server version 6.44.44**. Users must upgrade to this version or later.
### Workarounds
- No explicit workarounds were provided in the summary; immediate patching is the recommended course of action. Reducing permissions of the integrated user accounts involved in script execution, if feasible, may limit the scope of impact until patching occurs.
## Detection
- **Indicators of Compromise:** Monitoring server logs for unusual execution patterns related to the `showerr`, `alog`, and `ilog` functions. Look for unexpected file access or modifications originating from these services, particularly file I/O operations where none should be occurring.
- **Detection Methods and Tools:** Runtime analysis tools capable of monitoring system calls (like file read/write/delete operations or execution spawns) associated with the WaveStore Server processes should be utilized.
## References
- Vendor advisories are implied through the coordination mentioned by CERT Polska.
- **Coordination Details:** https://cert.pl/en/cvd/