PatchSiren cyber security CVE debrief
CVE-2018-25365 PCViewer CVE debrief
CVE-2018-25365 is a directory traversal vulnerability in PCViewer vt1000 that allows unauthenticated remote attackers to read arbitrary files from the underlying system. The vulnerability exists due to insufficient input validation on GET request parameters, enabling attackers to use relative path sequences (e.g., `../../../../../../../../../../../../etc/passwd`) to escape the intended directory and access sensitive system files. The vulnerability carries a HIGH severity CVSS score of 8.7, reflecting significant confidentiality impact with no authentication required. The CVE was published on 2026-05-25 and last modified on 2026-05-26. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. Vendor attribution remains uncertain with low confidence, identified only through reference domain analysis pointing to Softpedia.
- Vendor
- PCViewer
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-26
Who should care
Organizations running PCViewer vt1000, particularly those with instances exposed to the internet or untrusted networks. Security teams responsible for web application security, file server protection, and vulnerability management programs. System administrators managing legacy file management applications.
Technical summary
PCViewer vt1000 fails to properly validate file path parameters in HTTP GET requests, allowing attackers to inject directory traversal sequences. By submitting crafted requests containing multiple `../` sequences, unauthenticated attackers can navigate outside the web root and read arbitrary files on the host file system. The vulnerability is network-exploitable with low attack complexity and requires no privileges or user interaction. Impact is limited to confidentiality (arbitrary file read) with no integrity or availability effects per CVSS 4.0 scoring.
Defensive priority
HIGH
Recommended defensive actions
- Review and restrict network access to PCViewer vt1000 instances, especially those exposed to untrusted networks
- Implement Web Application Firewall (WAF) rules to detect and block path traversal sequences (../) in HTTP GET parameters
- Apply input validation and sanitization to all file path parameters, rejecting relative path sequences
- Consider disabling or removing PCViewer vt1000 if vendor patches are unavailable and the application is not essential
- Monitor file access logs for anomalous read patterns indicative of directory traversal exploitation
- Verify that the underlying operating system implements proper file system permissions to limit impact of successful traversal attacks
Evidence notes
CVSS 4.0 vector: AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N. Weakness classified as CWE-22. Source references include product information from Softpedia, an Exploit-DB entry, and a VulnCheck advisory.
Official resources
The vulnerability was disclosed through VulnCheck and is documented in NVD with references to an Exploit-DB entry and a VulnCheck advisory. The NVD entry status is 'Deferred'.