The Zephyr HTTP server contains a high-severity vulnerability that allows unauthorized access to files, potentially exposing sensitive system information.

The HTTP server implementation in the Zephyr RTOS, specifically the static-filesystem resource type, fails to properly restrict access when CONFIG_FILE_SYSTEM is enabled. This allows unauthenticated remote attackers to potentially read files outside the intended root directory.

A CVSS score of 7.5 highlights the severity of this unauthorized access vulnerability. In an embedded context, this could lead to the exposure of sensitive configuration files, credentials, or proprietary data, significantly increasing the risk of full device compromise and loss of operational control.

Immediate Action: Apply the vendor-provided patch to the Zephyr RTOS source code or update to a version where this file access path is properly restricted.

Proactive Monitoring: Monitor network traffic for suspicious HTTP requests targeting sensitive file paths or using directory traversal sequences.

Compensating Controls: If patching is delayed, disable the CONFIG_FILE_SYSTEM feature in the HTTP server configuration if it is not strictly required for current operations.

Public Exploit Available: false

This vulnerability represents a significant security risk for embedded systems running Zephyr. Engineering teams must review their firmware configurations and apply the necessary patches immediately to prevent unauthorized access to the underlying filesystem.