Description
A path Traversal vulnerability exists in Ziostation2 v2.9.8.7 and earlier. A remote unauthenticated attacker may get sensitive information on the operating system.
Published: 2026-04-23
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality Disclosure
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a classic path traversal flaw in Ziostation2, allowing an attacker to craft requests that reference files outside the intended directory. This flaw, identified as CWE‑22, lets a remote unauthenticated attacker retrieve sensitive operating‑system files or configurations, resulting in confidentiality disclosure. No code execution or privilege escalation is explicitly described, so the primary impact is data leakage.

Affected Systems

Affected are Ziosoft, Inc.'s Ziostation2 device firmware versions 2.9.8.7 and earlier. The flaw exists in the file‑download handling component exposed over the device’s web interface.

Risk and Exploitability

The CVSS score is 8.7, indicating a high severity. With an EPSS score below 1% and no listing in the CISA KEV catalog, exploitation is considered unlikely at present. However, the path traversal can be triggered without authentication, so a potential attacker only needs to send a specially‑crafted request to the device’s web service, which in many cases may be exposed to the Internet.

Generated by OpenCVE AI on April 28, 2026 at 15:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Ziostation2 firmware update that addresses the path traversal issue.
  • Ensure that the device’s web service restricts file access to the intended download directory and validates all path parameters, removing "." or ".." sequences and decoding URL encodings.
  • Use network segmentation or firewall ACLs to limit external access to the Ziostation2 management interface, allowing only trusted IP ranges.

Generated by OpenCVE AI on April 28, 2026 at 15:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://jvn.jp/en/jp/JVN00575116/ cve-icon cve-icon
History

Tue, 12 May 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Zio
Zio ziostation2
CPEs cpe:2.3:a:zio:ziostation2:*:*:*:*:*:*:*:*
Vendors & Products Zio
Zio ziostation2

Tue, 28 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Title Ziostation2 Remote Path Traversal Allows Sensitive OS Information Disclosure

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Ziosoft
Ziosoft ziostation2
Vendors & Products Ziosoft
Ziosoft ziostation2

Thu, 23 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Description A path Traversal vulnerability exists in Ziostation2 v2.9.8.7 and earlier. A remote unauthenticated attacker may get sensitive information on the operating system.
Weaknesses CWE-22
References
Metrics cvssV3_0

{'score': 7.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Zio Ziostation2
Ziosoft Ziostation2
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-04-23T16:23:52.670Z

Reserved: 2026-04-13T06:08:31.479Z

Link: CVE-2026-40062

cve-icon Vulnrichment

Updated: 2026-04-23T14:01:20.323Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T00:16:45.467

Modified: 2026-05-12T15:19:47.283

Link: CVE-2026-40062

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T15:15:34Z

Weaknesses