Longjing Technology BEMS API versions up to and including 1.21 contains an unauthenticated arbitrary file download vulnerability in the 'downloads' endpoint. The 'fileName' parameter is not properly sanitized, allowing attackers to craft traversal sequences and access sensitive files outside the intended directory.
Security readout for executives and security teams
Plain-English summary
CVE-2021-4463 lets unauthenticated attackers download files from Longjing Technology BEMS API by abusing insufficient file path checks in a download endpoint. This can expose sensitive server files, credentials, or configuration data. The bundle does not name a fixed version or vendor mitigation.
Executive priority
Treat as high priority where BEMS API is deployed or internet reachable. The main business risk is sensitive file disclosure without credentials. Prioritize asset discovery, exposure reduction, and vendor guidance because the bundle does not identify a patch.
Technical view
BEMS API up to and including 1.21 has a path traversal issue in the downloads endpoint. The fileName parameter is not properly sanitized, allowing access outside the intended directory. The CVSS 4.0 score is 8.7, driven by network reachability, no authentication, and high confidentiality impact.
Likely exposure
Exposure is likely limited to organizations running Shenzhen Longjing Technology BEMS API up to 1.21, especially if the API or downloads endpoint is reachable from untrusted networks. The source metadata has version ambiguity, so owners should verify deployments directly.
Exploitation context
Public exploit references are listed by ZeroScience, Exploit-DB, Packet Storm, and CXSecurity. The bundle does not show CISA KEV listing or other evidence of active exploitation, so active exploitation should not be assumed.
Researcher notes
The record cites CWE-22 and CWE-552. CVE publication is dated 2025, while exploit references are from 2021-era advisories. The affected metadata lists version "0" but the description states up to and including 1.21; validate before drawing scope conclusions.
Mitigation direction
Identify any Longjing Technology BEMS API deployments and confirm versions.
Restrict external access to the API and downloads endpoint.
Require authentication or trusted-network access where operationally feasible.
Review vendor or advisory guidance for fixed versions or official mitigations.
Monitor logs for suspicious fileName requests targeting sensitive paths.
Validation and detection
Inventory BEMS API instances across internet-facing and internal environments.
Confirm whether deployments are version 1.21 or earlier.
Check whether the downloads endpoint is reachable without authentication.
Review access logs for abnormal download requests or traversal-like fileName values.
Document source ambiguity around affected versions before closing risk.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-22: File access and web shell behavior lookup
File traversal and upload weaknesses can lead teams to review file, web shell, execution, and collection telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references file access or upload behavior, so file telemetry and web shell review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-22 · source CWE mapping
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Files or Directories Accessible to External Parties
Files or Directories Accessible to External Parties represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.