CVE-2025-34154
UnForm Server Manager < 10.1.12 Unauthenticated Arbitrary File Read
Vexday Risk Score
28Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 9.2EPSS 0.8%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado
Lifecycle
13 Aug 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
UnForm Server Manager versions prior to 10.1.12 expose an unauthenticated file read vulnerability via its log file analysis interface. The flaw resides in the arc endpoint, which accepts a fl parameter to specify the log file to be opened. Due to insufficient input validation and lack of path sanitization, attackers can supply relative paths to access arbitrary files on the host system — including sensitive OS-level files — without authentication.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
Affected products
Synergetic Data Systems Inc. · UnForm Server Manager