CVE-2025-51539

Name of the Vulnerable Software and Affected Versions EzGED3 versions prior to 3.5.72.27183

Description EzGED3 contains an unauthenticated arbitrary file read issue because of inadequate access control and insufficient input validation within a script accessible through the web interface. A remote attacker can provide a manipulated path parameter to a PHP script to read arbitrary files from the filesystem. The script lacks authentication checks and secure path handling, allowing directory traversal attacks (e.g., ../../../) to access sensitive files such as configuration files, database dumps, source code, and password reset tokens. If phpMyAdmin is exposed, extracted credentials could be used for direct administrative access. In environments without phpMyAdmin, attacker-controlled file reads can still allow full database extraction by targeting raw MySQL data files.

Recommendations Update EzGED3 to version 3.5.72.27183 or later.