CVE-2025-34047

26.06.2025, 16:15

A path traversal vulnerability exists in the Leadsec SSL VPN (formerly Lenovo NetGuard), allowing unauthenticated attackers to read arbitrary files on the underlying system via the ostype parameter in the /vpn/user/download/client endpoint. This flaw arises from insufficient input sanitation, enabling traversal sequencesto escape the intended directory and access sensitive files.Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
VulnCheck	CNA	---	---
CISA-ADP	ADP	---	---

Base Score

CVSS 3.x

EPSS Score

Percentile: 71%

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cnvd/2021/CNVD-2021-64035.yaml

https://vulncheck.com/advisories/leadsec-vpn-path-traversal-file-read

https://www.cnvd.org.cn/flaw/show/CNVD-2021-64035

https://www.leadsec.com.cn/

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cnvd/2021/CNVD-2021-64035.yaml