CVE-2025-0473

Medium

Published: 16 January 2025

Published

16 January 2025

Modified

07 May 2025

KEV Added

—

Patch

—

CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0013 31.5th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0473 is a medium-severity Incomplete Cleanup (CWE-459) vulnerability in Sigb Pmb. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Local Data Staging (T1074.001); ranked at the 31.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-14 (Non-persistence) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Local Data Staging (T1074.001) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-14 Non-persistence good match

prevent

Directly prevents persistence of temporary files by enforcing non-persistence requirements on uploaded files at the vulnerable endpoint.

AC-3 Access Enforcement partial match

prevent

Enforces authorized access to temporary file storage locations, mitigating unauthorized read access to persisted sensitive files.

SI-4 System Monitoring partial match

detect

Monitors the file system for indicators of exploitation, such as orphaned temporary files from incomplete upload workflows.

MITRE ATT&CK Enterprise TechniquesAI

T1074.001 Local Data Staging Collection

Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration.

attack.mitre.org →

T1105 Ingress Tool Transfer Command And Control

Adversaries may transfer tools or other files from an external system into a compromised environment.

attack.mitre.org →

Why these techniques?

Vuln allows uploaded files to persist by omitting cleanup POST, directly enabling local staging of transferred tools/data.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Vulnerability in the PMB platform that allows an attacker to persist temporary files on the server, affecting versions 4.0.10 and above. This vulnerability exists in the file upload functionality on the ‘/pmb/authorities/import/iimport_authorities’ endpoint. When a file is uploaded via this…

resource, the server will create a temporary file that will be deleted after the client sends a POST request to ‘/pmb/authorities/import/iimport_authorities’. This workflow is automated by the web client, however an attacker can trap and launch the second POST request to prevent the temporary file from being deleted.

Deeper analysisAI

CVE-2025-0473 is a vulnerability in the PMB platform that enables an attacker to persist temporary files on the server, affecting versions 4.0.10 and above. The issue resides in the file upload functionality at the '/pmb/authorities/import/iimport_authorities' endpoint. During the normal workflow, a file upload creates a temporary file on the server, which is subsequently deleted after the client sends a follow-up POST request to the same endpoint. This process is automated by the web client, but it can be disrupted by an attacker.

The vulnerability has a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N), indicating network accessibility with low attack complexity, requiring low privileges, no user interaction, and unchanged scope, primarily impacting confidentiality. An authenticated attacker with low privileges can exploit this by intercepting and delaying or omitting the second POST request, preventing the automatic deletion of the temporary file and allowing persistent storage of potentially sensitive uploaded content on the server.

The INCIBE advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-pmb-platform documents this as one of multiple vulnerabilities in the PMB platform.