CVE-2025-0632
Published: 21 April 2025
Summary
CVE-2025-0632 is a critical-severity Path Traversal (CWE-22) vulnerability in Formulatrix Rock Maker (inferred from references). Its CVSS base score is 9.2 (Critical).
Operationally, ranked in the top 18.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2025-0632 is a local file inclusion vulnerability in the Render function of Formulatrix Rock Maker Web that stems from improper handling of file paths, enabling remote attackers to read arbitrary files on the host. The flaw affects Rock Maker Web versions 3.2.1.1 and later and is tracked under CWE-22 and CWE-98, carrying a CVSS 4.0 score of 9.2.
An unauthenticated remote attacker can supply crafted input to the Render function to execute malicious scripts that automatically retrieve configuration files from known locations, exfiltrating credentials and other sensitive data. Because the application lacks rate limiting, the same vector also permits systematic enumeration of the host filesystem, which can escalate to full system compromise.
The vendor has published a security bulletin and an updated installer (RockMakerWeb_3.18.4.7_setup.exe) on its download portal that address the issue; administrators should apply the patched build and review the accompanying bulletin for configuration guidance.
EPSS for the CVE reached a peak of 0.0269 after disclosure before settling at the current value of 0.0154, indicating a measurable increase in exploitation interest following public release.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-12383
Vulnerability details
Local File Inclusion (LFI) vulnerability in a Render function of Formulatrix Rock Maker Web (RMW) allows a remote attacker to obtain sensitive data via arbitrary code execution. A malicious actor could execute malicious scripts to automatically download configuration files in…
more
known locations to exfiltrate data including credentials, and with no rate limiting a malicious actor could enumerate the filesystem of the host machine and potentially lead to full host compromise. This issue affects Rock Maker Web: from 3.2.1.1 and later
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.