Cyber Resilience

CVE-2025-11630

LowPublic PoC

Published: 12 October 2025

Published
12 October 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0017 38.4th percentile
Risk Priority 4 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11630 is a low-severity Path Traversal (CWE-22) vulnerability in Docsys Project Docsys. Its CVSS base score is 2.1 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-11630 is a path traversal vulnerability (CWE-22) in RainyGao DocSys versions up to 2.02.36. The issue affects the updateRealDoc function within the /Doc/uploadDoc.do endpoint of the File Upload component, where manipulation of the path argument allows attackers to traverse directories outside the intended upload location.

The vulnerability has a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity. It can be exploited remotely by an authenticated user with low privileges, requiring no user interaction. Successful exploitation enables limited impacts on confidentiality, integrity, and availability, such as unauthorized file access, modification, or deletion via directory traversal during file uploads.

VulDB advisories (ctiid.328042, id.328042, submit.664845) document the issue, noting that an exploit has been publicly disclosed on GitHub. The vendor was contacted early regarding disclosure but provided no response, and no patches or official mitigations are available from the references.

The public exploit availability increases the risk of immediate exploitation in affected environments.

EU & UK References

Vulnerability details

A vulnerability was found in RainyGao DocSys up to 2.02.36. Affected is the function updateRealDoc of the file /Doc/uploadDoc.do of the component File Upload. Performing manipulation of the argument path results in path traversal. The attack can be initiated remotely.…

more

The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Path traversal vulnerability in public-facing web application upload endpoint enables exploitation of public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-11631Same product: Docsys Project Docsys
CVE-2025-15492Same product: Docsys Project Docsys
CVE-2025-15494Same product: Docsys Project Docsys
CVE-2025-15493Same product: Docsys Project Docsys
CVE-2025-64075Shared CWE-22
CVE-2024-53537Shared CWE-22
CVE-2024-36512Shared CWE-22
CVE-2025-0493Shared CWE-22
CVE-2025-70231Shared CWE-22
CVE-2026-43888Shared CWE-22

Affected Assets

docsys project
docsys
≤ 2.02.36

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the path argument in /Doc/uploadDoc.do to reject traversal sequences before file operations occur.

prevent

Enforces access-control policy on the upload endpoint so that only authorized paths within the intended directory may be written.

prevent

Limits the privileges of authenticated users so that even successful traversal yields minimal additional file-system access.

References