PatchSiren cyber security CVE debrief

CVE-2022-3693 Deytek Informatics CVE debrief

A path traversal vulnerability in FileOrbis File Management System allows unauthenticated remote attackers to read arbitrary files on affected systems. The vulnerability exists in versions prior to 10.6.3 and has been assigned a HIGH severity CVSS 3.1 score of 7.5. The issue was disclosed by the Turkish National Cyber Security Incident Response Center (USOM) in January 2023. Organizations running affected versions should upgrade to FileOrbis 10.6.3 or later to remediate this vulnerability.

Vendor: Deytek Informatics
Product: FileOrbis File Management System
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2023-01-13
Original CVE updated: 2026-05-20
Advisory published: 2023-01-13
Advisory updated: 2026-05-20

Who should care

Organizations deploying FileOrbis File Management System for enterprise file sharing and document management, particularly those in sectors with sensitive document handling requirements such as legal, healthcare, finance, and government. Security teams responsible for web application security and file server infrastructure should prioritize patching.

Technical summary

The FileOrbis File Management System fails to properly sanitize user-supplied input used in file path construction, enabling directory traversal attacks. An unauthenticated remote attacker can manipulate file path parameters to access files outside the intended directory scope, including sensitive system files. The vulnerability is exploitable over the network with low attack complexity and requires no user interaction or authentication. The confidentiality impact is rated HIGH with no integrity or availability impact per CVSS 3.1 scoring.

Defensive priority

HIGH

Recommended defensive actions

Upgrade FileOrbis File Management System to version 10.6.3 or later.
Review access logs for anomalous file access patterns indicative of path traversal exploitation.
Implement Web Application Firewall (WAF) rules to detect and block path traversal sequences (e.g., ../, ..%2f) in HTTP requests.
Apply principle of least privilege to file system permissions to limit impact of successful traversal attacks.
Monitor for unauthorized access attempts to sensitive system files outside intended application directories.

Evidence notes

The NVD record identifies FileOrbis as the affected vendor with CPE cpe:2.3:a:fileorbis:fileorbis:*:*:*:*:*:*:*:*, with the fixed version specified as 10.6.3. USOM published advisory TR-23-0021 providing third-party confirmation. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N indicates network-accessible, low-complexity attack with no privileges required, resulting in high confidentiality impact. CWE-22 (Path Traversal) is the primary weakness classification.

Official resources

CVE-2022-3693 CVE record
CVE.org
CVE-2022-3693 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Third Party Advisory

The vulnerability was publicly disclosed on 2023-01-13 via USOM security advisory TR-23-0021. No known exploitation in ransomware campaigns has been documented.