MPDV Mikrolab Products Unauthenticated Local File Disclosure Vulnerability

A local file disclosure vulnerability has been identified in MPDV Mikrolab's HYDRA X, MIP 2, and FEDRA 2 products, all versions prior to Maintenance Pack 36 with Service Pack 8 (week 36/2025). This vulnerability allows an unauthenticated attacker to read arbitrary files from the Windows operating system where the software is installed. The issue arises in the 'Filename' parameter of the public '$SCHEMAS$' resource, and can be easily exploited.

Impact

Exploitation of this vulnerability allows for unauthorized access to local files on the Windows operating system, potentially leading to the disclosure of sensitive information.

Reproduction

The vulnerability can be reproduced by sending an HTTP GET request to the '$SCHEMAS$' resource with the 'Filename' parameter set to the path of a file on the Windows operating system, such as 'c:\windows\win.ini'.

Remediation

Users are advised to upgrade to Maintenance Pack 36 for MIP 2, FEDRA 2, or HYDRA X with Service Pack 8, week 36/2025. The patch is available through the vendor's support portal.