{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10461", "assignerOrgId": "10de8ef9-5c89-4b17-8228-e97b74acf4bd", "state": "PUBLISHED", "assignerShortName": "Softing", "dateReserved": "2025-09-15T05:57:59.903Z", "datePublished": "2026-03-16T13:27:21.381Z", "dateUpdated": "2026-03-27T08:13:41.200Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "10de8ef9-5c89-4b17-8228-e97b74acf4bd", "shortName": "Softing", "dateUpdated": "2026-03-27T08:13:41.200Z"}, "title": "Global file reads caused by improper URL checks in webserver", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-497", "descriptions": [{"lang": "en", "value": "CAPEC-497 File Discovery"}]}], "affected": [{"vendor": "Softing", "product": "smartLink SW-HT", "modules": ["filesystem"], "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "1.42", "versionType": "custom"}, {"status": "unaffected", "version": "1.43", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Softing", "product": "smartLink SW-PN", "modules": ["filesystem"], "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "1.03", "versionType": "custom"}, {"status": "unaffected", "version": "1.04"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:softing:smartlink_sw-ht:*:*:*:*:*:*:*:*", "versionStartIncluding": "0", "versionEndIncluding": "1.42"}, {"vulnerable": false, "criteria": "cpe:2.3:a:softing:smartlink_sw-ht:1.43:*:*:*:*:*:*:*"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:softing:smartlink_sw-pn:*:*:*:*:*:*:*:*", "versionStartIncluding": "0", "versionEndIncluding": "1.03"}, {"vulnerable": false, "criteria": "cpe:2.3:a:softing:smartlink_sw-pn:1.04:*:*:*:*:*:*:*"}]}]}], "descriptions": [{"lang": "en", "value": "Global file reads caused by improper URL checks in webserver in Softing Industrial Automation GmbH smartLinks on docker (filesystem modules) allows file access.\n\n\n\nThis issue affects\n\nsmartLink SW-HT: through 1.42\n\nsmartLink SW-PN: through 1.03.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Global file reads caused by improper URL checks in webserver in Softing Industrial Automation GmbH smartLinks on docker (filesystem modules) allows file access.<p>\n\n</p><p>This issue affects</p><p>smartLink SW-HT: through 1.42</p><p>smartLink SW-PN: through 1.03.</p>\n\n<p></p>"}]}], "references": [{"url": "https://industrial.softing.com/fileadmin/psirt/downloads/2025/CVE-2025-10461.html"}, {"url": "https://industrial.softing.com/fileadmin/psirt/downloads/2025/CVE-2025-10461.json"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recovery": "AUTOMATIC", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "LOW", "providerUrgency": "GREEN", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/AU:Y/R:A/RE:L/U:Green"}}], "solutions": [{"lang": "en", "value": "This issue is fixed in\n\n\n\n\n\nsmartLink SW-HT: 1.43\n\nsmartLink SW-PN: 1.04", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>This issue is fixed in</p><p>\n\n</p><p>smartLink SW-HT: 1.43</p>smartLink SW-PN: 1.04<br><p></p>"}]}], "credits": [{"lang": "en", "value": "OpenVAS", "type": "tool"}], "source": {"discovery": "INTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T14:27:44.548413Z", "id": "CVE-2025-10461", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T14:27:51.874Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10461", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T14:27:44.548413Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T14:27:48.578Z"}}], "cna": {"title": "Global file reads caused by improper URL checks in webserver", "source": {"discovery": "INTERNAL"}, "credits": [{"lang": "en", "type": "tool", "value": "OpenVAS"}], "impacts": [{"capecId": "CAPEC-497", "descriptions": [{"lang": "en", "value": "CAPEC-497 File Discovery"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "AUTOMATIC", "baseScore": 5.3, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/AU:Y/R:A/RE:L/U:Green", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "GREEN", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Softing", "modules": ["filesystem"], "product": "smartLink SW-HT", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.42"}, {"status": "unaffected", "version": "1.43", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Softing", "modules": ["filesystem"], "product": "smartLink SW-PN", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.03"}, {"status": "unaffected", "version": "1.04"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "This issue is fixed in\n\n\n\n\n\nsmartLink SW-HT: 1.43\n\nsmartLink SW-PN: 1.04", "supportingMedia": [{"type": "text/html", "value": "<p>This issue is fixed in</p><p>\n\n</p><p>smartLink SW-HT: 1.43</p>smartLink SW-PN: 1.04<br><p></p>", "base64": false}]}], "references": [{"url": "https://industrial.softing.com/fileadmin/psirt/downloads/2025/CVE-2025-10461.html"}, {"url": "https://industrial.softing.com/fileadmin/psirt/downloads/2025/CVE-2025-10461.json"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Global file reads caused by improper URL checks in webserver in Softing Industrial Automation GmbH smartLinks on docker (filesystem modules) allows file access.\n\n\n\nThis issue affects\n\nsmartLink SW-HT: through 1.42\n\nsmartLink SW-PN: through 1.03.", "supportingMedia": [{"type": "text/html", "value": "Global file reads caused by improper URL checks in webserver in Softing Industrial Automation GmbH smartLinks on docker (filesystem modules) allows file access.<p>\n\n</p><p>This issue affects</p><p>smartLink SW-HT: through 1.42</p><p>smartLink SW-PN: through 1.03.</p>\n\n<p></p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:softing:smartlink_sw-ht:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "1.42", "versionStartIncluding": "0"}, {"criteria": "cpe:2.3:a:softing:smartlink_sw-ht:1.43:*:*:*:*:*:*:*", "vulnerable": false}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:softing:smartlink_sw-pn:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "1.03", "versionStartIncluding": "0"}, {"criteria": "cpe:2.3:a:softing:smartlink_sw-pn:1.04:*:*:*:*:*:*:*", "vulnerable": false}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "10de8ef9-5c89-4b17-8228-e97b74acf4bd", "shortName": "Softing", "dateUpdated": "2026-03-27T08:13:41.200Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10461", "state": "PUBLISHED", "dateUpdated": "2026-03-27T08:13:41.200Z", "dateReserved": "2025-09-15T05:57:59.903Z", "assignerOrgId": "10de8ef9-5c89-4b17-8228-e97b74acf4bd", "datePublished": "2026-03-16T13:27:21.381Z", "assignerShortName": "Softing"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Global file reads caused by improper URL checks in webserver in Softing Industrial Automation GmbH smartLinks on docker (filesystem modules) allows file access.\n\n\n\nThis issue affects\n\nsmartLink SW-HT: through 1.42\n\nsmartLink SW-PN: through 1.03."}, {"lang": "es", "value": "Lecturas globales de archivos causadas por comprobaciones de URL incorrectas en el servidor web en smartLinks de Softing Industrial Automation GmbH en docker (m\u00f3dulos del sistema de archivos) permiten el acceso a archivos.\n\nEste problema afecta a\n\nsmartLink SW-HT: hasta la versi\u00f3n 1.42\n\nsmartLink SW-PN: hasta la versi\u00f3n 1.03."}], "id": "CVE-2025-10461", "lastModified": "2026-03-27T09:16:17.050", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "YES", "Recovery": "AUTOMATIC", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "GREEN", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:L/U:Green", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "LOW"}, "source": "10de8ef9-5c89-4b17-8228-e97b74acf4bd", "type": "Secondary"}]}, "published": "2026-03-16T14:17:53.620", "references": [{"source": "10de8ef9-5c89-4b17-8228-e97b74acf4bd", "url": "https://industrial.softing.com/fileadmin/psirt/downloads/2025/CVE-2025-10461.html"}, {"source": "10de8ef9-5c89-4b17-8228-e97b74acf4bd", "url": "https://industrial.softing.com/fileadmin/psirt/downloads/2025/CVE-2025-10461.json"}], "sourceIdentifier": "10de8ef9-5c89-4b17-8228-e97b74acf4bd", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "10de8ef9-5c89-4b17-8228-e97b74acf4bd", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.42]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "1.43"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "smartLink SW-HT", "source": "cna", "vendor": "Softing"}, "product": "smartlink_sw-ht", "vendor": "softing"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.03]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "1.04"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "smartLink SW-PN", "source": "cna", "vendor": "Softing"}, "product": "smartlink_sw-pn", "vendor": "softing"}], "analysis": {"en": {"generated_at": "2026-03-17T11:22:22.049297+00:00", "value": {"mitigation_remediation": ["Apply patch to smartLink SW-HT to version 1.43 or newer.", "Apply patch to smartLink SW-PN to version 1.04 or newer.", "Verify that the webserver no longer allows arbitrary file reads by testing access to protected paths.", "If an update cannot be applied immediately, restrict external network traffic to the webserver or disable the Docker filesystem modules."], "summary": {"action": "Apply Patch", "impact": "Unauthorized File Read"}, "threat_synthesis": {"affected_systems": "Affected vendor is Softing Industrial Automation GmbH. Products impacted are smartLink SW\u2011HT and smartLink SW\u2011PN. The vulnerability exists in all versions up through 1.42 for SW\u2011HT and up through 1.03 for SW\u2011PN, as stated by the vendor. Updated versions that contain the fix are smartLink SW\u2011HT\u202f1.43 and smartLink SW\u2011PN\u202f1.04.", "description_and_impact": "This vulnerability in Softing Industrial Automation GmbH smartLinks allows an attacker to read arbitrary files on the host system. The webserver performs improper URL validation, enabling global file reads through the filesystem modules when accessed from a Docker environment. The weakness is identified as incorrect input validation (CWE\u201120) and results in unauthorized disclosure of data that may include sensitive configuration or credential files.", "risk_and_exploitability": "The CVSS score is 5.3, indicating a moderate severity. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires crafting an HTTP request that bypasses URL checks; authentication or privileged access is not mentioned, so the act of trying likely does not require additional privileges. Because the webserver is network exposed, the vulnerability could be exploited remotely without local access, making it reasonably attractive to attackers."}}}}, "created": "2026-03-17T09:52:55.955281+00:00", "updated": "2026-03-24T10:44:30.931553+00:00", "vendors": ["softing", "softing$PRODUCT$smartlink_sw-ht", "softing$PRODUCT$smartlink_sw-pn"]}