Cyber Resilience

CVE-2018-25181

HighPublic PoC

Published: 06 March 2026

Published
06 March 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0063 45.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2018-25181 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 45.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2018-25181 is a path traversal vulnerability (CWE-22) affecting Musicco version 2.0.0. The flaw resides in the getAlbum endpoint, where the parent parameter can be manipulated with directory traversal sequences, such as ../, enabling unauthenticated attackers to access and download arbitrary system directories as ZIP files. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no requirements for privileges or user interaction.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity. By supplying crafted traversal payloads in the parent parameter, they can traverse outside the intended directory structure to reach sensitive system locations, resulting in the unauthorized download of their contents as ZIP archives. This grants attackers broad read access to potentially critical files, configurations, or data without impacting integrity or availability.

Advisories and references, including an exploit on Exploit-DB (https://www.exploit-db.com/exploits/45830) and a VulnCheck advisory (https://www.vulncheck.com/advisories/musicco-arbitrary-directory-download-via-path-traversal), document the issue but do not specify patches or mitigations in the provided details. Security practitioners should review these sources for any updates on remediation, such as input validation on the parent parameter or endpoint restrictions.

A proof-of-concept exploit is publicly available on Exploit-DB, highlighting the vulnerability's exploitability in Musicco 2.0.0 deployments. The CVE was published on 2026-03-06.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Musicco 2.0.0 contains a path traversal vulnerability that allows unauthenticated attackers to download arbitrary directories by manipulating the parent parameter. Attackers can supply directory traversal sequences in the parent parameter of the getAlbum endpoint to access sensitive system directories and…

more

download them as ZIP files.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Path traversal in public-facing web endpoint directly enables remote unauthenticated access to arbitrary local files/directories (T1005) and is exploitable via public app (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-66687Shared CWE-22
CVE-2025-26753Shared CWE-22
CVE-2025-44177Shared CWE-22
CVE-2023-42226Shared CWE-22
CVE-2026-39859Shared CWE-22
CVE-2024-55457Shared CWE-22
CVE-2025-8343Shared CWE-22
CVE-2026-23939Shared CWE-22
CVE-2025-27098Shared CWE-22
CVE-2025-69411Shared CWE-22

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates the parent parameter in the getAlbum endpoint to reject directory traversal sequences like ../, preventing unauthorized access to arbitrary system directories.

prevent

Enforces approved access authorizations to restrict the getAlbum endpoint to only intended directories, blocking path traversal beyond the application's scope.

prevent

Implements boundary protection at external interfaces, such as web application firewalls, to inspect and block requests with path traversal payloads targeting the unauthenticated endpoint.

References