Ecoa Bas controller is a building automation controller from Ecoa Technologies Corp. in China. A path traversal vulnerability exists in Ecoa Bas controller, which can be exploited by attackers to compromise the device directory content by using the GET parameter in the file manager.