CVE Alert: CVE-2025-10468 – Beyaz Computer – CityPlus
CVE-2025-10468
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in Beyaz Computer CityPlus allows Path Traversal.This issue affects CityPlus: before 24.29375.
AI Summary Analysis
Risk verdict
High risk from a remote path traversal vulnerability; currently no confirmed exploitation activity.
Why this matters
An unauthenticated attacker can remotely request the vulnerable component, potentially reading sensitive server files and configuration data. The confidentiality impact is high, creating a realistic risk of data disclosure and exposure of credentials or secrets if exposed via the affected paths.
Most likely attack path
Exploitation requires network access to the CityPlus interface, with no privileges or user interaction needed. An attacker can craft input parameters that are used to build file paths, exploiting low attack complexity to access restricted directories. Lateral movement is unlikely to be direct, but sensitive data access could enable further abuse or exfiltration.
Who is most exposed
Organisations running CityPlus in internet-facing or cloud-connected deployments, particularly where older builds or custom configurations are in use. On-premise installations with public endpoints are most at risk.
Detection ideas
- Look for requests containing path traversal patterns (../, ..%2f, encoded slashes) targeting CityPlus endpoints.
- Unusual or failed attempts to access restricted files or directories (e.g., hidden/config files) reflected as 403/500 responses.
- Anomalous spikes in URL parameters or error logs tied to file-path inputs.
- WAF or reverse proxy alerts for path traversal attempts.
- Correlated log bursts from IPs unfamiliar to normal operation.
Mitigation and prioritisation
- Apply patch to version 24.29375 or later; verify through staged testing before prod rollout.
- Implement input validation and canonicalisation to normalise and reject traversal sequences; restrict file-system access to required paths only.
- Enable strict allow-listing for file access and disable directory listing; enforce least-privilege service accounts.
- Deploy WAF rules to block common path-traversal payloads and monitor for related attempts.
- Schedule prompt remediation within the standard change window; document rollback and validation steps.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
