CVE-2025-14224

critical

Published 2025-12-08 · Modified 2026-04-29

CVSS v3

9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

4.0

VIR risk

9.8

Description

A vulnerability was found in Yottamaster DM2, DM3 and DM200 up to 1.2.23/1.9.12. Affected by this issue is some unknown functionality of the component File Upload. Performing manipulation results in path traversal. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Predictions

Exploit likelihood

97%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.

References

https://vuldb.com/?ctiid.334666
https://vuldb.com/?id.334666
https://vuldb.com/?submit.701673
https://www.notion.so/2b76cf4e528a80f6ae50fe21b13ff0b8
https://www.notion.so/Yottamaster-NAS-Unauth-Operation-2b76cf4e528a80f6ae50fe21b13ff0b8

CWEs

CWE-22

Verify integrity in audit chain (admin only). AS-IS.