| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ef902772-cd87-4f87-b4ae-d5abf30de62c@sec-consult.com>
Date: Mon, 27 Oct 2025 06:26:48 +0000
From: SEC Consult Vulnerability Lab via Fulldisclosure
<fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] SEC Consult SA-20251027-0 :: Unauthenticated Local File
Disclosure in MPDV Mikrolab MIP 2 / FEDRA 2 / HYDRA X Manufacturing
Execution System #CVE-2025-12055
SEC Consult Vulnerability Lab Security Advisory < 20251027-0 >
=======================================================================
title: Unauthenticated Local File Disclosure
product: MPDV Mikrolab MIP 2 / FEDRA 2 / HYDRA X Manufacturing
Execution System
vulnerable version: 10.14.STD, MIP 2 / FEDRA 2 / HYDRA X with Servicepack 8
Maintenance versions until week 35/2025
fixed version: Maintenance Pack 36 for MIP 2 / FEDRA 2 / HYDRA X
with Servicepack 8, week 36/2025
CVE number: CVE-2025-12055
impact: high
homepage: https://www.mpdv.com/
found: 2025-06-23
by: Lukas Donaubauer
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Atos company
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"You monitor, control and optimize your production continuously with
HYDRA X. You can therefore keep an eye on all resources at all times
and design your production processes to be as efficient as possible.
Digitization in production is unstoppable! Companies who want to
produce efficiently need HYDRA X."
Source: https://www.mpdv.com/en/products/mes-hydra-x
Business recommendation:
------------------------
The vendor provides a patch in their support portal which should be
installed immediately.
SEC Consult highly recommends performing a thorough security review of the
product conducted by security professionals to identify and resolve potential
further security issues.
Vulnerability overview/description:
-----------------------------------
1) Unauthenticated Local File Disclosure (CVE-2025-12055)
HYDRA X, MIP2 and FEDRA 2 suffer from an unauthenticated local file disclosure
vulnerability which allows an attacker to read arbitrary files from the Windows
operating system (HYDRA X is designed to work on Windows). The "Filename"
parameter of the public $SCHEMAS$ ressource is vulnerable and can be
exploited easily.
Proof of concept:
-----------------
1) Unauthenticated Local File Disclosure (CVE-2025-12055)
The following proof of concept shows the HTTP request that was used to read
local files of the server's operating system. The vulnerability can be
triggered as soon as a vulnerable version of the software is in use.
Authorization and authentication are not needed.
-------------------------------------------------------------------------------
HTTP Request:
GET /hx/resources/public/$SCHEMAS$?Filename=c%3a%5cwindows%5cwin.ini HTTP/1.1
Host: <IP>
-------------------------------------------------------------------------------
Vulnerable / tested versions:
-----------------------------
The following versions have been tested and found to be vulnerable:
* 10.14.STD
* According to the vendor MIP 2 / FEDRA 2 / HYDRA X with Servicepack 8, up until
the maintenance pack of week 35/2025 are vulnerable
Vendor contact timeline:
------------------------
2025-08-06: Contacting vendor via email.
2025-08-08: Answer by vendor.
2025-08-27: Contact from vendor after initial delays.
2025-08-27: Sending of advisory.
2025-09-11: Information from the vendor about patch.
2025-10-13: Contacting the vendor via mail with question about advisory publication.
2025-10-21: Answer by the vendor that advisory can be published.
2025-10-27: Public disclosure of advisory.
Solution:
---------
The vulnerability is fixed in the following version:
* Maintenance Pack of week 36/2025 for MIP 2 / FEDRA 2 / HYDRA X with Servicepack 8
Customers can download the patch at the vendor's support portal.
Workaround:
-----------
None
Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult, an Atos company
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Atos company. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://x.com/sec_consult
EOF Lukas Donaubauer / @2025
Download attachment "smime.p7s" of type "application/pkcs7-signature" (4995 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists