A high-severity vulnerability has been discovered in the Adacore Ada Web Server (AWS) affecting versions prior to 25. This flaw could allow an unauthenticated remote attacker to read sensitive files from the underlying server, potentially exposing confidential data such as configuration files, credentials, or intellectual property. Organizations are urged to apply the vendor-provided security update immediately to mitigate the risk of a data breach.

The vulnerability is an improper input validation flaw, specifically a path traversal weakness, within the Adacore Ada Web Server. A remote, unauthenticated attacker can exploit this by sending a specially crafted HTTP request containing directory traversal sequences (e.g., ../). This bypasses the server's access controls, allowing the attacker to navigate outside of the intended web root directory and read arbitrary files on the server's file system, limited only by the permissions of the web server's user account.

This vulnerability is rated as High severity with a CVSS score of 7.5. Successful exploitation could lead to significant business consequences, including the unauthorized disclosure of sensitive information. Attackers could potentially access and exfiltrate database credentials, API keys, application source code, customer data, or system configuration files. This exposure could result in a follow-on system compromise, reputational damage, regulatory penalties for data breaches, and direct financial loss.

Immediate Action: The primary remediation is to apply the vendor-provided security updates immediately. Organizations must upgrade all vulnerable instances of Adacore Ada Web Server (AWS) to version 25 or a later release. After patching, it is crucial to monitor for any signs of exploitation attempts by reviewing web server access logs for suspicious activity that may have occurred prior to the update.

Proactive Monitoring: Security teams should actively monitor web server logs for HTTP requests containing directory traversal patterns, such as ../, ..%2f, %2e%2e%2f, and other encoded variations. Implement alerts for unusual file access attempts originating from the web server process. Network monitoring should also be configured to detect anomalous outbound data transfers that could indicate data exfiltration.

Compensating Controls: If immediate patching is not feasible, organizations should implement compensating controls. Deploy a Web Application Firewall (WAF) with rulesets designed to detect and block path traversal attacks. Additionally, enforce the principle of least privilege by ensuring the web server process runs with minimal file system permissions, restricting its access only to the necessary directories.

Public Exploit Available: false

Given the high-severity rating (CVSS 7.5) and the potential for sensitive data exposure, we strongly recommend that all organizations using the affected Adacore Ada Web Server prioritize applying the security update to version 25 or newer without delay. Although this vulnerability is not currently on the CISA KEV list, its impact makes it a prime target for opportunistic attackers. Immediate patching is the most effective defense to prevent a potential data breach and subsequent business impact.