CVE-2025-34047
HIGH EXPLOITEDLeadsec SSL VPN - Unauthenticated Path Traversal and Arbitrary File Read via ostype Parameter
Title source: llmExploitation Summary
CVE-2025-34047 has been observed exploited in the wild (reported by VulnCheck KEV).
Description
A path traversal vulnerability exists in the Leadsec SSL VPN (formerly Lenovo NetGuard), allowing unauthenticated attackers to read arbitrary files on the underlying system via the ostype parameter in the /vpn/user/download/client endpoint. This flaw arises from insufficient input sanitation, enabling traversal sequences to escape the intended directory and access sensitive files. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.
References (4)
Core 4
Core References
Various Sources third-party-advisory
https://www.cnvd.org.cn/flaw/show/CNVD-2021-64035
Various Sources exploit
https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cnvd/2021/CNVD-2021-64035.yaml
Various Sources product
https://www.leadsec.com.cn/
Third Party Advisory third-party-advisory
https://vulncheck.com/advisories/leadsec-vpn-path-traversal-file-read
Scores
CVSS v4
8.7
EPSS
0.0046
EPSS Percentile
36.5%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
VulnCheck KEV
2025-06-26
CWE
CWE-20
CWE-22
Status
published
Products (1)
Beijing NetGuard Nebula Information Technology Co., Ltd./Leadsec SSL VPN
Published
Jun 26, 2025
Tracked Since
Feb 18, 2026