Cyber Resilience

CVE-2025-0632

Critical

Published: 21 April 2025

Published
21 April 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.2 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0154 81.7th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0632 is a critical-severity Path Traversal (CWE-22) vulnerability in Formulatrix Rock Maker (inferred from references). Its CVSS base score is 9.2 (Critical).

Operationally, ranked in the top 18.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2025-0632 is a local file inclusion vulnerability in the Render function of Formulatrix Rock Maker Web that stems from improper handling of file paths, enabling remote attackers to read arbitrary files on the host. The flaw affects Rock Maker Web versions 3.2.1.1 and later and is tracked under CWE-22 and CWE-98, carrying a CVSS 4.0 score of 9.2.

An unauthenticated remote attacker can supply crafted input to the Render function to execute malicious scripts that automatically retrieve configuration files from known locations, exfiltrating credentials and other sensitive data. Because the application lacks rate limiting, the same vector also permits systematic enumeration of the host filesystem, which can escalate to full system compromise.

The vendor has published a security bulletin and an updated installer (RockMakerWeb_3.18.4.7_setup.exe) on its download portal that address the issue; administrators should apply the patched build and review the accompanying bulletin for configuration guidance.

EPSS for the CVE reached a peak of 0.0269 after disclosure before settling at the current value of 0.0154, indicating a measurable increase in exploitation interest following public release.

EU & UK References

Vulnerability details

Local File Inclusion (LFI) vulnerability in a Render function of Formulatrix Rock Maker Web (RMW) allows a remote attacker to obtain sensitive data via arbitrary code execution. A malicious actor could execute malicious scripts to automatically download configuration files in…

more

known locations to exfiltrate data including credentials, and with no rate limiting a malicious actor could enumerate the filesystem of the host machine and potentially lead to full host compromise. This issue affects Rock Maker Web: from 3.2.1.1 and later

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Formulatrix
Rock Maker
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References