A high-severity vulnerability, identified as CVE-2025-59890, has been discovered in multiple products from Improper, specifically affecting the Eaton Galileo software. This flaw allows an attacker with local access to the system to execute unauthorized code by uploading a specially crafted file archive. Successful exploitation could lead to a complete compromise of the affected system.

The vulnerability exists due to improper input sanitization within the file archives upload functionality of the Eaton Galileo software. An attacker with local access can craft a malicious archive (e.g., a ZIP or TAR file) containing path traversal sequences (e.g., ../../). When the application processes this archive, it fails to validate the file paths, allowing the attacker to write a file to an arbitrary location on the filesystem, outside of the intended upload directory. By placing a malicious executable, script, or configuration file in a sensitive system location, the attacker can achieve unauthorized code or command execution.

This vulnerability is rated as High severity with a CVSS score of 7.3. Exploitation could lead to a complete system compromise, allowing an attacker to execute arbitrary commands with the privileges of the application's user account. Potential consequences include the theft of sensitive data, installation of persistent malware such as ransomware or spyware, disruption of critical operations, and the ability for an attacker to use the compromised system as a pivot point for further attacks within the network. Although it requires local access, it represents a significant risk for privilege escalation and establishing persistence.

Immediate Action: Apply the security updates provided by the vendor to all affected systems immediately. After patching, review system and application access logs for any signs of suspicious file upload activity or unauthorized file modifications that may have occurred prior to remediation.

Proactive Monitoring: Implement enhanced monitoring on affected systems. Security teams should look for unusual file write operations originating from the application process, especially to sensitive system directories. Monitor application logs for file upload events containing path traversal sequences (../) and review endpoint security alerts for the creation of unexpected executables or scheduled tasks.

Compensating Controls: If patching cannot be immediately deployed, consider the following compensating controls:

• Restrict access to the file upload functionality to only highly trusted administrative users.
• Implement a File Integrity Monitoring (FIM) solution to alert on any unauthorized changes to critical system files and directories.
• Use application whitelisting or other endpoint protection controls to prevent the execution of unauthorized files in sensitive locations.

Public Exploit Available: false

Given the high severity of this vulnerability and its potential to grant an attacker full control over a system, organizations are strongly advised to prioritize the application of vendor-supplied patches across all affected assets. While this vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its potential for enabling code execution warrants immediate attention. Patching should be treated as the primary mitigation, supplemented by the proactive monitoring and compensating controls outlined above to ensure a robust defense-in-depth security posture.