AssetOrchestrator Pro: From Log File to Full Pwnage via Path Traversal
Jan 1, 2026·11 min read·3 visits
Executive Summary (TL;DR)
A path traversal vulnerability in AssetOrchestrator Pro's log download feature allows any authenticated user to read arbitrary files from the server, including sensitive configuration files. This information leak can be leveraged to discover the path to the web application's plugin directory, enabling an attacker to upload a malicious webshell and gain full remote code execution.
A critical path traversal vulnerability exists in the log file download functionality of AssetOrchestrator Pro, an enterprise-grade asset management platform. The vulnerability, located in the `/api/downloadLogs` endpoint, fails to properly sanitize user-supplied filenames. This allows a low-privileged authenticated attacker to traverse the filesystem and read arbitrary files. By chaining this file read capability with the application's plugin upload mechanism, an attacker can achieve unauthenticated remote code execution, leading to a complete compromise of the underlying server.
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
AssetOrchestrator Pro Orchestrate Inc. | < 3.1.4 | 3.1.4 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-22 |
| CWE Name | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low |
| CVSS v3.1 Score | 9.8 (Critical) |
| Exploit Status | Active Exploitation |
| CISA KEV | Yes |
MITRE ATT&CK Mapping
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.