CVE-2025-43928

Name of the Vulnerable Software and Affected Versions Infodraw Media Relay Service version 7.1.0.0

Description The issue allows reading arbitrary files via ../ directory traversal in the username field. This can potentially reveal administrator credentials in cleartext or with MD5 hashing when reading ServerParameters.xml. The MRS web server, which is affected, operates on port 12654.

Recommendations For Infodraw Media Relay Service version 7.1.0.0, consider disabling the username field in the MRS web server as a temporary workaround until a patch is available. Restrict access to the ServerParameters.xml file to minimize the risk of exploitation. Avoid using the username field in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.