CVE-2025-14224 – A path traversal vulnerability in Yottamaster D... (How to Fix)

Q: What is the severity of CVE-2025-14224?

CVE-2025-14224 has a CVSS score of 4.3 (MEDIUM). A path traversal vulnerability in Yottamaster DM2, DM3, and DM200 NAS devices allows attackers to upload files to arbitrary locations via the file upload component. This affects versions up to 1.2.23/1.9.12. Remote exploitation is possible without authentication.

📋 TL;DR

A path traversal vulnerability in Yottamaster DM2, DM3, and DM200 NAS devices allows attackers to upload files to arbitrary locations via the file upload component. This affects versions up to 1.2.23/1.9.12. Remote exploitation is possible without authentication.

💻 Affected Systems

Products:

Yottamaster DM2
Yottamaster DM3
Yottamaster DM200

Versions: Up to version 1.2.23/1.9.12

Operating Systems: NAS firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the file upload component functionality. Exact vulnerable endpoints unknown.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could overwrite critical system files, install backdoors, or achieve remote code execution by uploading malicious files to sensitive directories.

🟠

Likely Case

Unauthorized file upload to arbitrary locations, potentially leading to data manipulation, privilege escalation, or denial of service.

🟢

If Mitigated

Limited impact if file upload functionality is disabled or restricted to authenticated users only.

🌐 Internet-Facing: HIGH - Remote exploitation is possible and public exploit exists.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this if devices are network-accessible.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit has been made public according to references. Remote exploitation possible without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None - vendor did not respond to disclosure

Restart Required: No

Instructions:

No official patch available. Check vendor website for updates. Consider workarounds or replacement.

🔧 Temporary Workarounds

Disable file upload functionality

all

If possible, disable the vulnerable file upload component through device configuration.

Network segmentation

all

Isolate affected NAS devices from untrusted networks and internet access.

🧯 If You Can't Patch

Implement strict network access controls to limit device exposure
Monitor file upload activity and audit logs for suspicious patterns

🔍 How to Verify

Check if Vulnerable:

Check device firmware version in web interface or via SSH if available. Versions ≤1.2.23/1.9.12 are vulnerable.

Check Version:

Check web admin interface → System Information → Firmware Version

Verify Fix Applied:

No official fix available. Verify workarounds by testing file upload restrictions.

📡 Detection & Monitoring

Log Indicators:

Unusual file upload requests
Requests with path traversal patterns (../)
Unauthenticated file upload attempts

Network Indicators:

HTTP POST requests to file upload endpoints with path traversal payloads

SIEM Query:

source="nas_logs" AND (url="*upload*" AND (payload="*../*" OR user="anonymous"))

📊 Metadata

CVE ID: CVE-2025-14224

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-22

EPSS Score: 0.24% exploit probability (47th percentile)

Published: December 8, 2025

Last Updated: December 12, 2025

🔗 References

https://vuldb.com/?ctiid.334666 Permissions Required,VDB Entry
https://vuldb.com/?id.334666 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.701673 Third Party Advisory,VDB Entry
https://www.notion.so/2b76cf4e528a80f6ae50fe21b13ff0b8 Exploit,Third Party Advisory
https://www.notion.so/Yottamaster-NAS-Unauth-Operation-2b76cf4e528a80f6ae50fe21b13ff0b8 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14224, you might also want to check these: