CVE-2025-12055 - Vulnerability Details - OpenCVE

HYDRA X, MIP 2 and FEDRA 2 of MPDV Mikrolab GmbH suffer from an unauthenticated local file disclosure vulnerability in all releases until Maintenance Pack 36 with Servicepack 8 (week 36/2025), which allows an attacker to read arbitrary files from the Windows operating system. The "Filename" parameter of the public $SCHEMAS$ ressource is vulnerable and can be exploited easily.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

The vulnerability is fixed in the following version: * Maintenance Pack of week 36/2025 for MIP2 / FEDRA2 / HYDRA X with Servicepack 8 Customers can download the patch from the vendor's support portal.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://r.sec-consult.com/mpdv

History

Mon, 27 Oct 2025 07:00:00 +0000

Type	Values Removed	Values Added
Description		HYDRA X, MIP 2 and FEDRA 2 of MPDV Mikrolab GmbH suffer from an unauthenticated local file disclosure vulnerability in all releases until Maintenance Pack 36 with Servicepack 8 (week 36/2025), which allows an attacker to read arbitrary files from the Windows operating system. The "Filename" parameter of the public $SCHEMAS$ ressource is vulnerable and can be exploited easily.
Title		Unauthenticated Local File Disclosure in MPDV Mikrolab MIP 2 / FEDRA 2 / HYDRA X Manufacturing Execution System
Weaknesses		CWE-22
References		https://r.sec-consult.com/mpdv

MITRE

Status: PUBLISHED

Assigner: SEC-VLab

Published: 2025-10-27T06:36:36.526Z

Updated: 2025-10-27T06:36:36.526Z

Reserved: 2025-10-22T06:45:51.500Z

Link: CVE-2025-12055

Vulnrichment

No data.

NVD

Status : Received

Published: 2025-10-27T07:15:37.727

Modified: 2025-10-27T07:15:37.727

Link: CVE-2025-12055

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-12055", "assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "state": "PUBLISHED", "assignerShortName": "SEC-VLab", "dateReserved": "2025-10-22T06:45:51.500Z", "datePublished": "2025-10-27T06:36:36.526Z", "dateUpdated": "2025-10-27T06:36:36.526Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "MIP 2", "vendor": "MPDV Mikrolab GmbH", "versions": [{"status": "affected", "version": "<Maintenance Pack 36 with Servicepack 8, release week 36/2025"}]}, {"defaultStatus": "unaffected", "product": "FEDRA 2", "vendor": "MPDV Mikrolab GmbH", "versions": [{"status": "affected", "version": "<Maintenance Pack 36 with Servicepack 8, release week 36/2025"}]}, {"defaultStatus": "unaffected", "product": "HYDRA X", "vendor": "MPDV Mikrolab GmbH", "versions": [{"status": "affected", "version": "<Maintenance Pack 36 with Servicepack 8, release week 36/2025"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Lukas Donaubauer, SEC Consult Vulnerability Lab"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "HYDRA X, MIP 2 and FEDRA 2 of MPDV Mikrolab GmbH suffer from an unauthenticated local file disclosure vulnerability in all releases until Maintenance Pack 36 with Servicepack 8 (week 36/2025), which allows an attacker to read arbitrary files from the Windows operating system. The \"Filename\" parameter of the public $SCHEMAS$ ressource is vulnerable and can be exploited easily.<br><br>"}], "value": "HYDRA X, MIP 2 and FEDRA 2 of MPDV Mikrolab GmbH suffer from an unauthenticated local file disclosure vulnerability in all releases until Maintenance Pack 36\u00a0with Servicepack 8 (week 36/2025), which allows an attacker to read arbitrary files from the Windows operating system. The \"Filename\" parameter of the public $SCHEMAS$ ressource is vulnerable and can be exploited easily."}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "CAPEC-126 Path Traversal"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "shortName": "SEC-VLab", "dateUpdated": "2025-10-27T06:36:36.526Z"}, "references": [{"url": "https://r.sec-consult.com/mpdv"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The vulnerability is fixed in the following version:<br><ul><li>Maintenance Pack of week 36/2025 for MIP2 / FEDRA2 / HYDRA X with Servicepack 8</li></ul>Customers can download the patch from the vendor's support portal.<br>"}], "value": "The vulnerability is fixed in the following version:\n * Maintenance Pack of week 36/2025 for MIP2 / FEDRA2 / HYDRA X with Servicepack 8\n\n\nCustomers can download the patch from the vendor's support portal."}], "source": {"discovery": "EXTERNAL"}, "title": "Unauthenticated Local File Disclosure in MPDV Mikrolab MIP 2 / FEDRA 2 / HYDRA X Manufacturing Execution System", "x_generator": {"engine": "Vulnogram 0.2.0"}}}}