CVE-2025-70084 – A directory traversal vulnerability in OpenSatK... (How to Fix)

Q: What is the severity of CVE-2025-70084?

CVE-2025-70084 has a CVSS score of 7.5 (HIGH). A directory traversal vulnerability in OpenSatKit 2.2.1 allows attackers to access sensitive files or delete arbitrary files by manipulating input to the FileUtil_GetFileInfo function. This affects all systems running OpenSatKit 2.2.1, particularly those using the file manager component for satellite ground systems.

📋 TL;DR

A directory traversal vulnerability in OpenSatKit 2.2.1 allows attackers to access sensitive files or delete arbitrary files by manipulating input to the FileUtil_GetFileInfo function. This affects all systems running OpenSatKit 2.2.1, particularly those using the file manager component for satellite ground systems.

💻 Affected Systems

Products:

OpenSatKit

Versions: 2.2.1

Operating Systems: Linux, VxWorks, Other embedded OS supported by OpenSatKit

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the file manager component (cfs/apps/filemgr) and affects all default installations of OpenSatKit 2.2.1.

📦 What is this software?

Opensatkit by Opensatkit

View all CVEs affecting Opensatkit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through deletion of critical system files or exfiltration of sensitive configuration data, potentially leading to satellite control system disruption.

🟠

Likely Case

Unauthorized access to sensitive configuration files, logs, or mission data stored within the OpenSatKit filesystem.

🟢

If Mitigated

Limited impact if proper input validation and file permission controls are implemented, restricting access to non-critical directories.

🌐 Internet-Facing: MEDIUM - If OpenSatKit interfaces are exposed to untrusted networks, attackers could exploit this without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could leverage this to escalate privileges or access sensitive data.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires understanding of OpenSatKit's file system structure and ability to craft malicious input to the vulnerable function.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check GitHub releases for version >2.2.1

Vendor Advisory: https://github.com/OpenSatKit/OpenSatKit

Restart Required: No

Instructions:

1. Check OpenSatKit GitHub for latest release. 2. Update to patched version. 3. Verify filemgr component has proper input validation.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement strict input validation in FileUtil_GetFileInfo to reject directory traversal sequences

Modify dir.c to sanitize input parameters before processing

File Permission Restriction

Linux

Apply strict file system permissions to limit accessible directories

chmod 750 /path/to/opensatkit/data
chown root:opensatkit /path/to/opensatkit

🧯 If You Can't Patch

Implement network segmentation to isolate OpenSatKit systems from untrusted networks
Deploy file integrity monitoring to detect unauthorized file access or deletion

🔍 How to Verify

Check if Vulnerable:

Check if running OpenSatKit version 2.2.1 and examine dir.c for lack of input validation in FileUtil_GetFileInfo

Check Version:

Check OpenSatKit configuration files or build metadata for version information

Verify Fix Applied:

Verify updated version >2.2.1 and test that directory traversal attempts are properly rejected

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in OpenSatKit logs
Failed file operations with suspicious path parameters

Network Indicators:

Unexpected file transfer activity from OpenSatKit systems

SIEM Query:

source="opensatkit.log" AND ("FileUtil_GetFileInfo" OR "../" OR "./")

📊 Metadata

CVE ID: CVE-2025-70084

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

EPSS Score: 0.24% exploit probability (46.6th percentile)

Published: February 11, 2026

Last Updated: February 17, 2026

🔗 References

https://gist.github.com/jonafk555 Third Party Advisory
https://github.com/OpenSatKit/OpenSatKit Product
https://github.com/OpenSatKit/OpenSatKit/releases/tag/v2.2.1 Release Notes
https://raw.githubusercontent.com/OpenSatKit/OpenSatKit/master/cfs/apps/filemgr/fsw/src/dir.c Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-70084, you might also want to check these: