CVE-2025-13787
Published: 30 November 2025
Summary
CVE-2025-13787 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Zentao Zentao. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 18.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-199929
Vulnerability details
A flaw has been found in ZenTao up to 21.7.6-8564. The affected element is the function file::delete of the file module/file/control.php of the component File Handler. Executing manipulation of the argument fileID can lead to improper privilege management. It is…
more
possible to launch the attack remotely. Upgrading to version 21.7.7 is sufficient to fix this issue. You should upgrade the affected component.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables horizontal privilege escalation via exploitation of improper authorization checks (T1068), allowing arbitrary file deletion for indicator removal/evasion (T1070.004) or disruptive impact (T1107).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Policy addresses roles, responsibilities, and privilege management to prevent improper privilege assignments.
Access supervision ensures privileges are assigned and managed without improper escalation or retention.
Assigning group/role memberships and access authorizations (privileges) while reviewing accounts addresses improper privilege management.
The control requires explicit definition of separated access authorizations, making incorrect privilege assignments that bundle conflicting duties harder to implement.
Implements core proper privilege management by restricting to only required rights.
Enforces proper privilege management by requiring all decisions through the verified reference monitor.
Policy requires training on privilege management and least privilege, making it harder to exploit improper privilege management weaknesses.
Training covers proper privilege management practices, making incorrect privilege assignments less likely.