CVE-2025-10766
Published: 21 September 2025
Summary
CVE-2025-10766 is a low-severity Path Traversal (CWE-22) vulnerability in Zkea Zkeacms. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 35.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-30377
Vulnerability details
A weakness has been identified in SeriaWei ZKEACMS up to 4.3. This issue affects the function Download of the file EventViewerController.cs. Executing manipulation of the argument ID can lead to path traversal. It is possible to launch the attack remotely.…
more
The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in EventViewerController.cs Download function enables remote arbitrary file reading, facilitating data from local system (T1005), unsecured credentials in files like configs/DB creds (T1552.001), direct volume access (T1006 per VulDB), and exploit public-facing app (T1190).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.