Login Sign Up

CVE-2025-69612

6.5 MEDIUM
Path Traversal

📋 TL;DR

This path traversal vulnerability in TMS Management Console allows authenticated users to read arbitrary files on the server by manipulating the filePath parameter in the Download Template function. Attackers can access sensitive files like Web.config containing configuration secrets. Only version 6.3.7.27386.20250818 of TMS Management Console is affected.

💻 Affected Systems

Products:
  • TMS Management Console
Versions: 6.3.7.27386.20250818
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated access to the Management Console interface.

📦 What is this software?

Tms Management Console by Tmsglobalsoft

View all CVEs affecting Tms Management Console →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain access to sensitive configuration files, database credentials, and other system files, potentially leading to full server compromise and data exfiltration.

🟠

Likely Case

Authenticated users or attackers who obtain credentials read Web.config and other sensitive files to harvest credentials and configuration data for further attacks.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the application server's file system without lateral movement.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Proof of concept available on GitHub demonstrates reading Web.config. Exploitation requires valid user credentials.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://tmsglobalsoft.com/

Restart Required: No

Instructions:

Check vendor website for security updates. No official patch information available at this time.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side validation to reject filePath parameters containing directory traversal sequences (../, ..\)

Access Control Restriction

all

Restrict access to the Management Console interface to trusted IP addresses only

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block requests containing directory traversal patterns
  • Monitor and alert on access to sensitive files like Web.config from the Management Console application

🔍 How to Verify

Check if Vulnerable:

Test the Download Template function with a filePath parameter containing ../Web.config. If the file is returned, the system is vulnerable.

Check Version:

Check application version in Management Console interface or application files

Verify Fix Applied:

Retest the Download Template function with traversal sequences. Successful fix should return an error or sanitized path.

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests to Download Template endpoint with ../ patterns in parameters
  • Access to Web.config or other sensitive files from Management Console process

Network Indicators:

  • HTTP GET/POST requests containing ../ sequences in URL parameters

SIEM Query:

source="web_server" AND (uri="*DownloadTemplate*" AND (param="*../*" OR param="*..\\*"))

📊 Metadata

CVE ID: CVE-2025-69612
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-22
EPSS Score: 0.28% exploit probability (50.5th percentile)
Published: January 22, 2026
Last Updated: February 3, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-69612, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)