A misassignment of file permissions allows an attacker to modify or delete critical files on the device. A specially crafted network request can overwrite legitimate configuration files or inject malicious code, compromising data integrity and potentially leading to further exploitation. The flaw is identified as CWE‑732, indicating incorrect permission assignment that unintentionally exposes sensitive resources.

Products from Owl Cyberdefense are impacted, specifically the Owl opds‑talon platform version 2.2.0.4. Earlier OPDS releases such as opds‑1000 and opds‑100 may also use the same code path and could share the vulnerability, but only 2.2.0.4 is confirmed. The affected environment is a hardware appliance that exposes a management interface over the network.

The advisory rates the vulnerability high with a CVSS score of 8.5, yet the EPSS score is reported as less than 1%, indicating a low likelihood of current exploitation. The issue is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, requiring the attacker to send a crafted request to the device’s exposed management interface. No explicit authentication requirement is noted, so the service may be exploitable without credentials, but the exact prerequisites remain uncertain. Successful exploitation would enable manipulation of critical system files, undermining the integrity and availability of the device.