Platform
other
Component
deviceon-iedge
Fixed in
2.0.3
CVE-2025-62630 identifies a Path Traversal vulnerability within DeviceOn/iEdge, potentially allowing unauthorized access and execution of code. This flaw stems from insufficient sanitization during configuration file uploads, enabling attackers to bypass security controls. Versions 0.0 through 2.0.2 are affected, and a patch is available in version 2.0.3.
The impact of this vulnerability is significant. Successful exploitation allows an attacker to upload a malicious configuration file, effectively traversing the file system. This traversal can lead to the attacker gaining read and write access to sensitive files and directories, potentially including system configuration files, credentials, and proprietary data. The ability to execute code with system-level permissions grants the attacker complete control over the affected DeviceOn/iEdge instance, enabling them to install malware, steal data, or disrupt operations. The blast radius extends to any data or services reliant on the compromised DeviceOn/iEdge system.
CVE-2025-62630 was publicly disclosed on 2025-11-06. The vulnerability's severity is considered HIGH due to the potential for remote code execution. Currently, there are no publicly available proof-of-concept exploits, but the ease of exploitation inherent in path traversal vulnerabilities suggests a potential for rapid exploitation if a PoC is released. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.18% (40% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade DeviceOn/iEdge to version 2.0.3 or later, which includes the necessary fixes. If immediate upgrading is not possible, consider implementing temporary workarounds. These may include restricting file upload locations to a tightly controlled directory, implementing strict file type validation to prevent the upload of configuration files, and employing a Web Application Firewall (WAF) to filter out malicious requests attempting to exploit the path traversal vulnerability. Monitor system logs for unusual file access patterns or attempts to upload files with suspicious extensions. After upgrading, confirm the fix by attempting to upload a test configuration file with a path traversal payload (e.g., '../etc/passwd') and verifying that the upload fails with an appropriate error.
Actualice DeviceOn/iEdge a una versión posterior a 2.0.2 que corrija la vulnerabilidad de path traversal. Consulte el sitio web de Advantech para obtener la última versión y las instrucciones de actualización. Aplique las configuraciones de seguridad recomendadas por el proveedor para mitigar el riesgo de ejecución remota de código.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-62630 is a HIGH severity vulnerability allowing attackers to traverse directories in DeviceOn/iEdge versions 0.0-2.0.2, potentially leading to remote code execution.
If you are using DeviceOn/iEdge versions 0.0 through 2.0.2, you are potentially affected by this vulnerability.
Upgrade DeviceOn/iEdge to version 2.0.3 or later to remediate the vulnerability. Consider temporary workarounds like restricting file uploads if immediate upgrading is not possible.
As of the current disclosure date, there are no confirmed reports of active exploitation, but the vulnerability's nature suggests a potential for rapid exploitation.
Refer to the official DeviceOn security advisory for detailed information and updates regarding CVE-2025-62630.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.