Cyber Resilience

CVE-2025-1336

MediumPublic PoC

Published: 16 February 2025

Published
16 February 2025
Modified
28 February 2025
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0017 37.6th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1336 is a medium-severity Path Traversal (CWE-22) vulnerability in Cmseasy Cmseasy. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-1336 is a path traversal vulnerability (CWE-22) affecting CmsEasy version 7.7.7.9. The issue resides in the deleteimg_action function within the library file lib/admin/image_admin.php, where the imgname argument can be manipulated to traverse directories outside the intended path. This vulnerability has a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N), classifying it as medium severity with low confidentiality impact and no impact on integrity or availability.

The vulnerability can be exploited remotely by an authenticated attacker with low privileges (PR:L), requiring only network access and low attack complexity. Successful exploitation allows the attacker to read arbitrary files on the server by leveraging the path traversal in the imgname parameter, potentially exposing sensitive configuration data, source code, or other files outside the web root.

Advisories from VulDB and a public GitHub disclosure detail the vulnerability, including a proof-of-concept exploit. The vendor was notified early but has not responded or issued a patch. Security practitioners should restrict access to the affected admin functionality, implement input validation and sanitization for file paths, and monitor for exploitation attempts using the disclosed PoC.

EU & UK References

Vulnerability details

A vulnerability has been found in CmsEasy 7.7.7.9 and classified as problematic. Affected by this vulnerability is the function deleteimg_action in the library lib/admin/image_admin.php. The manipulation of the argument imgname leads to path traversal. The attack can be launched remotely.…

more

The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
Why these techniques?

Path traversal vulnerability in public-facing CMS enables exploitation (T1190) and arbitrary file deletion for indicator removal (T1070.004).

CVEs Like This One

CVE-2025-1335Same product: Cmseasy Cmseasy
CVE-2026-3666Shared CWE-22
CVE-2018-25308Shared CWE-22
CVE-2026-22460Shared CWE-22
CVE-2025-69377Shared CWE-22
CVE-2025-14850Shared CWE-22
CVE-2025-26752Shared CWE-22
CVE-2026-4350Shared CWE-22
CVE-2025-65792Shared CWE-22
CVE-2026-4758Shared CWE-22

Affected Assets

cmseasy
cmseasy
7.7.7.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates path traversal in the imgname parameter by enforcing input validation mechanisms to restrict file paths to authorized directories.

prevent

Requires identification, reporting, and timely remediation of the path traversal flaw in deleteimg_action to eliminate the vulnerability.

prevent

Enforces least privilege to restrict access to the vulnerable admin image deletion function, limiting exploitation to only necessary low-privilege users.

References