SEC Consult SA-20251027-0 :: Unauthenticated Local File Disclosure in MPDV Mikrolab MIP 2 / FEDRA 2 / HYDRA X Manufacturing Execution System #CVE-2025-12055

[SEC Consult Vulnerability Lab via Fulldisclosure <fulldisclosure () seclists org>]

SEC Consult Vulnerability Lab Security Advisory < 20251027-0 >
=======================================================================
              title: Unauthenticated Local File Disclosure
            product: MPDV Mikrolab MIP 2 / FEDRA 2 / HYDRA X Manufacturing
                     Execution System
 vulnerable version: 10.14.STD, MIP 2 / FEDRA 2 / HYDRA X with Servicepack 8
                     Maintenance versions until week 35/2025
      fixed version: Maintenance Pack 36 for MIP 2 / FEDRA 2 / HYDRA X
                     with Servicepack 8, week 36/2025
         CVE number: CVE-2025-12055
             impact: high
           homepage: https://www.mpdv.com/
              found: 2025-06-23
                 by: Lukas Donaubauer
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult, an Atos company
                     Europe | Asia | North America

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"You monitor, control and optimize your production continuously with
HYDRA X. You can therefore keep an eye on all resources at all times
and design your production processes to be as efficient as possible.
Digitization in production is unstoppable! Companies who want to
produce efficiently need HYDRA X."

Source: https://www.mpdv.com/en/products/mes-hydra-x


Business recommendation:
------------------------
The vendor provides a patch in their support portal which should be
installed immediately.

SEC Consult highly recommends performing a thorough security review of the
product conducted by security professionals to identify and resolve potential
further security issues.


Vulnerability overview/description:
-----------------------------------
1) Unauthenticated Local File Disclosure (CVE-2025-12055)
HYDRA X, MIP2 and FEDRA 2 suffer from an unauthenticated local file disclosure
vulnerability which allows an attacker to read arbitrary files from the Windows
operating system (HYDRA X is designed to work on Windows). The "Filename"
parameter of the public $SCHEMAS$ ressource is vulnerable and can be
exploited easily.


Proof of concept:
-----------------
1) Unauthenticated Local File Disclosure (CVE-2025-12055)
The following proof of concept shows the HTTP request that was used to read
local files of the server's operating system. The vulnerability can be
triggered as soon as a vulnerable version of the software is in use.
Authorization and authentication are not needed.

-------------------------------------------------------------------------------
HTTP Request:
GET /hx/resources/public/$SCHEMAS$?Filename=c%3a%5cwindows%5cwin.ini HTTP/1.1
Host: <IP>
-------------------------------------------------------------------------------

Vulnerable / tested versions:
-----------------------------
The following versions have been tested and found to be vulnerable:
* 10.14.STD
* According to the vendor MIP 2 / FEDRA 2 / HYDRA X with Servicepack 8, up until
  the maintenance pack of week 35/2025 are vulnerable


Vendor contact timeline:
------------------------
2025-08-06: Contacting vendor via email.
2025-08-08: Answer by vendor.
2025-08-27: Contact from vendor after initial delays.
2025-08-27: Sending of advisory.
2025-09-11: Information from the vendor about patch.
2025-10-13: Contacting the vendor via mail with question about advisory publication.
2025-10-21: Answer by the vendor that advisory can be published.
2025-10-27: Public disclosure of advisory.


Solution:
---------
The vulnerability is fixed in the following version:
* Maintenance Pack of week 36/2025 for MIP 2 / FEDRA 2 / HYDRA X with Servicepack 8

Customers can download the patch at the vendor's support portal.


Workaround:
-----------
None


Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Atos company. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://x.com/sec_consult

EOF Lukas Donaubauer / @2025

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/