VDE-2025-085 | CERT@VDE

2025-09-10 09:00 (CEST) VDE-2025-085

Welotec: Path Traversal in SmartEMS Upload Handling

Share: Email | Twitter

ID

VDE-2025-085

Published

2025-09-10 09:00 (CEST)

Last update

2025-09-09 13:17 (CEST)

Vendor(s)

Welotec GmbH

Product(s)

Article No°	Product Name	Affected Version(s)
	SmartEMS Web Application	< v3.3.6

Summary

A path traversal flaw in the SmartEMS upload handling allows authenticated users to direct upload data outside of the intended directory via the 'Upload-Key' header. In deployments where writable, code-interpreted paths are reachable, this may lead to remote code execution.

CVE ID

CVE-2025-41714

Last Update:

9. September 2025 13:14

Severity

8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Weakness

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)

Summary

The upload endpoint insufficiently validates the 'Upload-Key' request header. By supplying path traversal sequences, an authenticated attacker can cause the server to create upload-related artifacts outside the intended storage location. In certain configurations this enables arbitrary file write and may be leveraged to achieve remote code execution.

Details

cert.vde.com

Impact

An authenticated attacker with network access to the SmartEMS Web UI can write outside the intended upload directory, overwrite or place files in sensitive locations, escalate to remote code execution depending on filesystem permissions and execution context, and access or modify sensitive data.

Solution

Mitigation

Restrict access to the SmartEMS Web UI to trusted admin networks or VPN. Enforce strong credentials and rotate or revoke active tokens/sessions.

Remediation

Update SmartEMS to version 3.3.6 which fixes the issue.

Reported by

CERT@VDE coordinated with Welotec GmbH