Description
A path traversal vulnerability exists in Riverbed SteelHead VCX appliances (confirmed in VCX255U 9.6.0a) due to improper input validation in the log filtering functionality exposed via the management web interface. An authenticated attacker can exploit this flaw by submitting crafted filter expressions to the log_filter endpoint using the filterStr parameter. This input is processed by a backend parser that permits execution of file expansion syntax, allowing the attacker to retrieve arbitrary system files via the log viewing interface.
Published: 2025-07-10
Score: 7.1 High
EPSS: 65.4% High
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A path traversal flaw exists in the log filtering feature of Riverbed SteelHead VCX appliances, allowing an authenticated user to provide specially crafted filter expressions that the backend parser expands and uses to read arbitrary files on the system. The vulnerability permits disclosure of sensitive files through the web‑based log viewer, representing a confidentiality breach (CWE‑200).

Affected Systems

Riverbed Technology’s SteelHead VCX appliances, confirmed on model VCX255U running firmware 9.6.0a, expose this flaw through the management interface’s log_filter endpoint.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate to high risk, while an EPSS score of 65% signals a relatively high likelihood that the flaw might be actively exploited. Exploitation requires valid credentials to the management web interface, after which a crafted filterStr parameter is submitted to the log_filter endpoint and the server expands file references, leaking the requested file content. The vulnerability is not listed in CISA’s KEV catalog, but the combination of high exploitation probability and moderate severity warrants swift action.

Generated by OpenCVE AI on May 6, 2026 at 15:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s official patch or upgrade to a firmware release that removes the vulnerable log filter logic
  • Block or restrict remote access to the SteelHead VCX management interface and enforce strong authentication mechanisms
  • As a temporary measure, disable log filtering or block file‑expansion syntax in the log_filter endpoint to prevent file read attempts

Generated by OpenCVE AI on May 6, 2026 at 15:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21035 A path traversal vulnerability exists in Riverbed SteelHead VCX appliances (confirmed in VCX255U 9.6.0a) due to improper input validation in the log filtering functionality exposed via the management web interface. An authenticated attacker can exploit this flaw by submitting crafted filter expressions to the log_filter endpoint using the filterStr parameter. This input is processed by a backend parser that permits execution of file expansion syntax, allowing the attacker to retrieve arbitrary system files via the log viewing interface.
History

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00054}

 epss

{'score': 0.00061}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00054}

Thu, 10 Jul 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 10 Jul 2025 19:30:00 +0000

Type Values Removed Values Added
Description A path traversal vulnerability exists in Riverbed SteelHead VCX appliances (confirmed in VCX255U 9.6.0a) due to improper input validation in the log filtering functionality exposed via the management web interface. An authenticated attacker can exploit this flaw by submitting crafted filter expressions to the log_filter endpoint using the filterStr parameter. This input is processed by a backend parser that permits execution of file expansion syntax, allowing the attacker to retrieve arbitrary system files via the log viewing interface.
Title Riverbed SteelHead VCX Authenticated Arbitrary File Read via Log Filter Injection
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-07T14:09:27.476Z

Reserved: 2025-04-15T19:15:22.555Z

Link: CVE-2025-34098

cve-icon Vulnrichment

Updated: 2025-07-10T20:25:43.280Z

cve-icon NVD

Status : Deferred

Published: 2025-07-10T20:15:25.413

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-34098

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T16:00:06Z

Weaknesses