A high-severity vulnerability has been identified in multiple BPMFlowWebkit products, allowing unauthenticated remote attackers to read arbitrary files from the underlying server. Successful exploitation could lead to the exposure of sensitive system data, credentials, and business information, posing a significant confidentiality risk to the organization.

The vulnerability is an Absolute Path Traversal flaw within the BPMFlowWebkit software. An unauthenticated attacker can send a specially crafted request to a vulnerable web server endpoint, manipulating file path parameters with "dot-dot-slash" (../) sequences or absolute file paths. This bypasses the application's access controls, causing it to retrieve and return the contents of sensitive files from the server's file system, such as configuration files, password files, or application source code.

This vulnerability is rated as High severity with a CVSS score of 7.5. Exploitation could have a significant business impact, leading to a breach of sensitive data. An attacker could exfiltrate confidential information, including customer data, intellectual property, and system credentials stored in configuration files. This exposure could result in regulatory fines, reputational damage, and provide the attacker with a foothold to launch further attacks against the internal network.

Immediate Action: Apply vendor security updates immediately. The vendor, WELLTEND TECHNOLOGY, has released patches to address this vulnerability. System administrators should prioritize the deployment of these updates across all affected systems.

Proactive Monitoring: Review web server and application access logs for any requests containing path traversal sequences (e.g., ../, ..%2f, ..\\) or requests attempting to access known sensitive system files (e.g., /etc/passwd, C:\Windows\win.ini). Monitor for unusual outbound network traffic which may indicate data exfiltration. Implement alerts for repeated failed access attempts or unusual file access patterns on the server.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules designed to detect and block path traversal attack patterns. Additionally, enforce the Principle of Least Privilege by ensuring the web server's service account has restrictive file system permissions, limiting its ability to read sensitive files outside of the web root directory.

Public Exploit Available: false

Given the high severity (CVSS 7.5) and the fact that this vulnerability can be exploited by an unauthenticated remote attacker, immediate action is required. While CVE-2025-15227 is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, its potential for significant data exposure makes it a critical priority for remediation. All organizations using affected BPMFlowWebkit products must apply the vendor-supplied patches immediately to prevent potential data breaches.