CVE-2014-125125

HIGH

A10 Networks AX Loadbalancer <2.7.0 - Path Traversal

Title source: llm

Description

A path traversal vulnerability exists in A10 Networks AX Loadbalancer versions 2.6.1-GR1-P5, 2.7.0, and earlier. The vulnerability resides in the handling of the filename parameter in the /xml/downloads endpoint, which fails to properly sanitize user input. An unauthenticated attacker can exploit this flaw by sending crafted HTTP requests containing directory traversal sequences to read arbitrary files outside the intended directory. The files returned by the vulnerable endpoint are deleted from the system after retrieval. This can lead to unauthorized disclosure of sensitive information such as SSL certificates and private keys, as well as unintended file deletion.

Exploits (2)

exploitdb WRITEUP

by xistence · textwebappshardware

https://www.exploit-db.com/exploits/31261

View Code ZIP pw:eip

metasploit WORKING POC

by xistence · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/a10networks_ax_directory_traversal.rb

View Code ZIP pw:eip

References (3)

[Various Sources] https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/scanner/http/a10networks_ax_directory_traversal.rb

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/31261

[Third Party Advisory] https://www.vulncheck.com/advisories/a10-networks-ax-loadbalancer-path-traversal

Scores

CVSS v4 8.8

EPSS 0.3525

EPSS Percentile 97.1%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

Details

CWE

CWE-22 CWE-706

Status published

Products (2)

A10 Networks/AX Series Loadbalancer < 2.6.1-GR1-P5

A10 Networks/AX Series Loadbalancer < 2.7.0

Published Jul 31, 2025

Tracked Since Feb 18, 2026