Cyber Posture

CVE-2025-0502

Critical

Published: 15 January 2025

Published
15 January 2025
Modified
15 December 2025
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0036 58.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0502 is a critical-severity Resource Leak (CWE-402) vulnerability in Craftercms Craftercms. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 41.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and CM-6 (Configuration Settings).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the resource leak vulnerability by requiring timely patching of CrafterCMS to fixed versions 4.0.8 or 4.1.6 as per the vendor advisory.

CM-6 Configuration Settings good match
prevent

Ensures secure configuration settings in the CrafterCMS engine to disable directory indexing and prevent exposure of private resources.

AC-22 Publicly Accessible Content good match
prevent

Restricts public access to private resources, directly countering the directory indexing leak that exposes sensitive data without authentication.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Direct exploitation of public-facing CrafterCMS Engine via unauthenticated directory indexing/resource leak for sensitive data access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Transmission of Private Resources into a New Sphere ('Resource Leak') vulnerability in CrafterCMS Engine on Linux, MacOS, x86, Windows, 64 bit, ARM allows Directory Indexing, Resource Leak Exposure.This issue affects CrafterCMS: from 4.0.0 before 4.0.8, from 4.1.0 before 4.1.6.

Deeper analysisAI

CVE-2025-0502 is a Transmission of Private Resources into a New Sphere ('Resource Leak') vulnerability in the CrafterCMS Engine, enabling Directory Indexing and Resource Leak Exposure. It affects CrafterCMS versions from 4.0.0 prior to 4.0.8 and from 4.1.0 prior to 4.1.6, across Linux, macOS, x86, Windows, 64-bit, and ARM platforms. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) and maps to CWE-402.

Remote unauthenticated attackers can exploit this vulnerability with low attack complexity and no user interaction. Exploitation grants access to private resources via directory indexing and leaks, leading to high-impact confidentiality loss through exposure of sensitive data and high-impact availability disruption.

The official CrafterCMS security advisory provides mitigation guidance at https://craftercms.com/docs/current/security/advisory.html#cv-2025011501. Affected systems should be upgraded to CrafterCMS 4.0.8 or later, or 4.1.6 or later, to address the issue.

Details

CWE(s)
CWE-402

Affected Products

craftercms
craftercms
4.0.0 — 4.0.8 · 4.1.0 — 4.1.6

CVEs Like This One

CVE-2026-21218Same product: Apple Macos
CVE-2026-32178Same product: Apple Macos
CVE-2026-3598Same product: Apple Macos
CVE-2025-23318Same product: Linux Linux Kernel
CVE-2025-23310Same product: Linux Linux Kernel
CVE-2025-69273Same product: Linux Linux Kernel
CVE-2025-23317Same product: Linux Linux Kernel
CVE-2025-23311Same product: Linux Linux Kernel
CVE-2026-28710Same product: Linux Linux Kernel
CVE-2024-51954Same product: Linux Linux Kernel

References