CVE-2025-10777
📋 TL;DR
This CVE describes a path traversal vulnerability in JSC R7 R7-Office Document Server's /downloadas/ endpoint. Attackers can manipulate the 'cmd' parameter to access files outside the intended directory. This affects R7-Office Document Server installations up to version 20250820.
💻 Affected Systems
- JSC R7 R7-Office Document Server
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote attackers could read sensitive system files, potentially exposing configuration files, credentials, or other sensitive data stored on the server.
Likely Case
Attackers could access application files, configuration files, or other documents stored in accessible directories on the server.
If Mitigated
With proper input validation and file access controls, the server would return error responses and prevent file access outside intended directories.
🎯 Exploit Status
The vendor states exploitation attempts consistently return error responses during their testing, but the vulnerability has been verified and patched.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.3.1.923
Vendor Advisory: Not provided in CVE description
Restart Required: No
Instructions:
1. Download version 2025.3.1.923 or later from official R7-Office sources. 2. Backup current installation. 3. Install the updated version following vendor documentation. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict access to /downloadas/ endpoint
allBlock or restrict access to the vulnerable endpoint using web server configuration or network controls
# Example for Apache: <Location /downloadas/> Require all denied </Location>
# Example for Nginx: location /downloadas/ { deny all; }
🧯 If You Can't Patch
- Implement strict input validation for the 'cmd' parameter to prevent path traversal sequences
- Deploy a web application firewall (WAF) with path traversal protection rules
🔍 How to Verify
Check if Vulnerable:
Check if the server version is 20250820 or earlier and if the /downloadas/ endpoint is accessibleCheck Version:
Check server documentation or admin interface for version informationVerify Fix Applied:
Verify the server version is 2025.3.1.923 or later and test the /downloadas/ endpoint with path traversal attempts📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to /downloadas/ endpoint
- Requests with path traversal sequences in 'cmd' parameter
- Error responses from /downloadas/ endpoint
Network Indicators:
- HTTP requests to /downloadas/ with '../' sequences in parameters
- Unusual file access patterns from the server
SIEM Query:
http.url:*downloadas* AND (http.param:*../* OR http.param:*..\*)