A high-severity vulnerability has been identified in IQ-Support software developed by IQ Service International. This flaw allows unauthenticated remote attackers to read sensitive files from the underlying server, potentially exposing confidential data, system configurations, and user credentials. Organizations using the affected software are at significant risk of data breaches and further system compromise.

The vulnerability is an Arbitrary File Read caused by a Relative Path Traversal flaw. An unauthenticated attacker can send a specially crafted request to the application, using path traversal sequences (e.g., ../) to navigate outside of the intended web root directory. This allows the attacker to access and download any file on the server's file system that the web service's user account has permission to read, such as /etc/passwd, application configuration files containing passwords, or sensitive business documents.

This vulnerability is classified as High severity with a CVSS score of 7.5. Successful exploitation directly impacts data confidentiality and system integrity. An attacker could exfiltrate sensitive information, including customer data, intellectual property, and system credentials. This exposure could lead to significant financial loss, reputational damage, regulatory fines for non-compliance with data protection laws, and could serve as a foothold for more extensive network intrusions.

Immediate Action: The primary and most effective remediation is to apply the security updates provided by IQ Service International immediately across all affected systems. After patching, it is crucial to review web server and application access logs for any signs of past or ongoing exploitation attempts.

Proactive Monitoring: Security teams should actively monitor web server logs for requests containing path traversal patterns such as ../, ..%2f, ..\, or other encoded variations. Implement alerts for unusual outbound traffic from affected servers, which could indicate data exfiltration. System file integrity monitoring should be in place to detect unauthorized access to critical files.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block path traversal attacks. Additionally, enforce the principle of least privilege by ensuring the web server's service account has restrictive read/write permissions on the file system, limiting its access to only essential directories.

Public Exploit Available: false

Given the high severity (CVSS 7.5) and the unauthenticated, remote nature of this vulnerability, immediate action is required. Organizations must prioritize the deployment of the vendor-supplied patches to all internet-facing systems running the affected software. Although this CVE is not currently on the CISA KEV list, its characteristics make it an attractive target for attackers. If patching is delayed, the implementation of compensating controls such as a WAF is strongly recommended as a temporary risk mitigation measure.