Report an incident
Back
  • About us
  • For experts
Report an incident
About us
About our team Contact
Baza wiedzy
Fałszywe inwestycje Uważaj na fałszywe sklepy online (Nie)bezpieczne płatności Fałszywi konsultanci Zadbaj o bezpieczne hasła i logowanie Fałszywe załączniki w mailach Fałszywe prośby o szybki przelew Fałszywe SMSy - plaga ostatnich miesięcy Bezpieczny telefon
Biuletyn OUCH!
Porady bezpieczeństwa OUCH!
Projects
n6 Artemis MWDB
CVD program
CVD policy Advisories

Vulnerabilities in WaveStore Server software
16 December 2025 | CERT Polska | #vulnerability, #warning, #cve
CVE ID CVE-2025-65074
Publication date 16 December 2025
Vendor WaveStore
Product WaveStore Server
Vulnerable versions All before 6.44.44
Vulnerability type (CWE) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Report source Report to CERT Polska
CVE ID CVE-2025-65075
Publication date 16 December 2025
Vendor WaveStore
Product WaveStore Server
Vulnerable versions All before 6.44.44
Vulnerability type (CWE) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Report source Report to CERT Polska
CVE ID CVE-2025-65076
Publication date 16 December 2025
Vendor WaveStore
Product WaveStore Server
Vulnerable versions All before 6.44.44
Vulnerability type (CWE) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Report source Report to CERT Polska

Description

CERT Polska has received a report about vulnerabilities in WaveStore Server software and participated in coordination of their disclosure.

The vulnerability CVE-2025-65074: WaveView client allows users to execute restricted set of predefined commands and scripts on the connected WaveStore Server. A malicious attacker with high-privileges is able to execute arbitrary OS commands on the server using path traversal in the showerr script.

The vulnerability CVE-2025-65075: WaveView client allows users to execute restricted set of predefined commands and scripts on the connected WaveStore Server. A malicious attacker with high-privileges is able to read or delete files, with the permissions of dvr user, on the server using path traversal in the alog script.

The vulnerability CVE-2025-65076: WaveView client allows users to execute restricted set of predefined commands and scripts on the connected WaveStore Server. A malicious attacker with high-privileges is able to read or delete any file on the server using path traversal in the ilog script. This script is being run with root privileges.

This issue was fixed in version 6.44.44

Credits

We thank Julia Zduńczyk for the responsible vulnerability report.

More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.