A critical path traversal vulnerability in the Eclipse BaSyx Java Server SDK allows unauthenticated remote attackers to achieve Remote Code Execution by writing arbitrary files to the host system.

The vulnerability exists due to inadequate path normalization in the Submodel HTTP API. An unauthenticated attacker can supply a crafted filename parameter during file uploads to write files outside intended directories.

With a CVSS score of 10.0, this vulnerability allows for complete system compromise. The ability to write arbitrary files to the host filesystem effectively grants an attacker the capability to execute malicious code, leading to total loss of system control, data theft, and potential lateral movement within the network.

Immediate Action: Upgrade to Eclipse BaSyx Java Server SDK version 2.0.0-milestone-10 or later immediately.

Proactive Monitoring: Inspect the filesystem for newly created or modified files in unauthorized directories and monitor the Java process logs for suspicious file operation errors.

Compensating Controls: Deploy a Web Application Firewall (WAF) to filter and block requests containing path traversal sequences (e.g., ../) targeting the Submodel HTTP API.

Public Exploit Available: No

Given the maximum severity rating of 10.0, this issue must be addressed as an emergency priority. Administrators should ensure that all instances of the affected SDK are updated and verify that the application process is running with the principle of least privilege.