CVE-2025-3722
📋 TL;DR
A path traversal vulnerability in System Information Reporter (SIR) versions 1.0.3 and earlier allows authenticated high-privilege users to create or overwrite files anywhere on the filesystem via malicious ePO post requests. This could lead to sensitive information disclosure or system disruption. Only organizations using affected SIR versions are impacted.
💻 Affected Systems
- System Information Reporter (SIR)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Privileged attacker overwrites critical system files, causing system instability or complete compromise, while also exfiltrating sensitive data.
Likely Case
Malicious insider or compromised admin account creates backdoors, modifies configuration files, or accesses sensitive information stored elsewhere on the filesystem.
If Mitigated
Limited impact with proper access controls, monitoring, and network segmentation preventing unauthorized file operations.
🎯 Exploit Status
Exploitation requires authenticated high-privilege access but path traversal techniques are well-understood.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.4 or later
Vendor Advisory: https://thrive.trellix.com/s/article/000014635
Restart Required: Yes
Instructions:
1. Download SIR version 1.0.4 or later from official vendor sources. 2. Backup current configuration. 3. Stop SIR service. 4. Install updated version. 5. Restart SIR service. 6. Verify functionality.
🔧 Temporary Workarounds
Restrict ePO Post Request Access
allLimit network access to SIR ePO endpoints to only trusted management systems.
Use firewall rules to restrict access to SIR port (typically 8443) to specific IP addresses
Implement Least Privilege
allReduce number of users with high-privilege access to SIR administration.
Review and minimize admin accounts with SIR access
🧯 If You Can't Patch
- Implement strict file system permissions to limit where SIR service account can write
- Enable detailed logging of all ePO post requests and file operations for anomaly detection
🔍 How to Verify
Check if Vulnerable:
Check SIR version via administration interface or configuration files. Versions 1.0.3 or earlier are vulnerable.Check Version:
Check SIR web interface or configuration file for version informationVerify Fix Applied:
Confirm SIR version is 1.0.4 or later and test that path traversal attempts in ePO requests are properly rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual file creation events outside expected directories
- Multiple failed path traversal attempts in SIR logs
- Suspicious ePO post requests with directory traversal patterns (../)
Network Indicators:
- Unusual ePO traffic patterns to SIR endpoints
- POST requests containing path traversal sequences
SIEM Query:
source="sir_logs" AND ("../" OR "..\\" OR "%2e%2e%2f") AND method="POST"