CVE-2025-13879
📋 TL;DR
A directory traversal vulnerability in SOLIDserver IPAM v8.2.3 allows authenticated administrators to list directories outside their authorized scope via the 'directory' parameter in '/mod/ajax.php?action=sections/list/list'. This affects organizations using the vulnerable version of EfficientIP's IP address management solution.
💻 Affected Systems
- EfficientIP SOLIDserver IPAM
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Administrator could enumerate sensitive system files, potentially discovering credentials, configuration files, or other sensitive data that could lead to further system compromise.
Likely Case
Administrator gains unauthorized visibility into directory structures and file listings beyond intended scope, potentially exposing sensitive operational data.
If Mitigated
Limited information disclosure with no direct file access or modification capabilities.
🎯 Exploit Status
Exploitation requires valid administrator credentials and involves simple parameter manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for latest patched version
Vendor Advisory: https://efficientip.com/resources/solidserver-ipam-solutions-3/
Restart Required: Yes
Instructions:
1. Check vendor advisory for latest patched version
2. Backup current configuration
3. Apply vendor-provided patch or upgrade
4. Restart SOLIDserver services
5. Verify fix implementation
🔧 Temporary Workarounds
Input Validation Filter
allImplement input validation to restrict directory parameter to allowed paths only
Modify /mod/ajax.php to validate 'directory' parameter against whitelist
Access Control Restriction
allRestrict access to the vulnerable endpoint to only necessary administrative users
Configure web server ACLs to limit access to /mod/ajax.php
🧯 If You Can't Patch
- Implement strict network segmentation to isolate SOLIDserver from sensitive systems
- Enforce principle of least privilege for administrator accounts and monitor their activity
🔍 How to Verify
Check if Vulnerable:
Test authenticated access to /mod/ajax.php?action=sections/list/list with directory parameter set to '/' or '../'Check Version:
Check SOLIDserver web interface admin panel or consult vendor documentation for version commandVerify Fix Applied:
Attempt the same directory traversal after patch application; should return error or empty result📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /mod/ajax.php with unusual directory parameters
- Multiple failed directory listing attempts
- Administrator account accessing unexpected file paths
Network Indicators:
- Unusual patterns of requests to the vulnerable endpoint from administrator accounts
SIEM Query:
source="web_logs" AND uri_path="/mod/ajax.php" AND (query_string CONTAINS "directory=/" OR query_string CONTAINS "directory=../")