Stefano Farletti

**Name of the Vulnerable Software and Affected Versions** RAVPower Filehub version 2.000.056 **Description** The issue is related to the HTTP Server in the RAVPower Filehub, where an unrestricted upload feature and a path traversal vulnerability allow uploading a file on the filesystem with root privileges, leading to remote code execution as root. The vulnerability exists due to insufficient restrictions on the directory path name and a lack of limitations on file uploads. This can be exploited by a remote attacker to execute arbitrary code with root privileges. **Recommendations** For RAVPower Filehub version 2.000.056, consider restricting access to the HTTP Server until a patch is available. As a temporary workaround, disabling the upload feature can help minimize the risk of exploitation. Additionally, limiting directory access and implementing proper path validation can also reduce the vulnerability to remote code execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.