CVE-2025-14182

Medium

Published: 07 December 2025

Published

07 December 2025

Modified

29 April 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0007 20.9th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-14182 is a medium-severity Path Traversal (CWE-22) vulnerability in Sobey Media Convergence System. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly validates the 'File' argument in the upload endpoint to reject path traversal sequences like '../', preventing unauthorized directory access.

AC-3 Access Enforcement partial match

prevent

Enforces logical access controls on files and directories, denying unauthorized reads, writes, or modifications even if path traversal bypasses application logic.

SC-7 Boundary Protection partial match

prevent

Boundary protection at web interfaces, such as WAF rules, inspects and blocks remote requests containing path traversal payloads targeting the upload endpoint.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1083 File and Directory Discovery Discovery

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.

attack.mitre.org →

Why these techniques?

Path traversal vulnerability in public-facing web upload endpoint (T1190) enables unauthorized file access and discovery outside intended directories (T1083), with confirmed impacts to confidentiality and integrity.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A vulnerability has been found in Sobey Media Convergence System 2.0/2.1. This vulnerability affects unknown code of the file /sobey-mchEditor/watermark/upload. The manipulation of the argument File leads to path traversal. The attack can be initiated remotely. The exploit has been…

disclosed to the public and may be used.

Deeper analysisAI

CVE-2025-14182 is a path traversal vulnerability (CWE-22) discovered in Sobey Media Convergence System versions 2.0 and 2.1. The issue resides in unknown code associated with the /sobey-mchEditor/watermark/upload file or endpoint, where manipulation of the "File" argument enables traversal outside intended directories. It carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-12-07T03:15:58.340.

The vulnerability can be exploited remotely by an attacker possessing low privileges (PR:L). By crafting a request that abuses the File argument, the attacker can achieve limited impacts: low confidentiality (C:L) through potential unauthorized file access, low integrity (I:L) via file modification, and low availability (A:L) effects such as denial of service on targeted files.

Advisories detailing the vulnerability are available from VulDB (https://vuldb.com/?ctiid.334602, https://vuldb.com/?id.334602, https://vuldb.com/?submit.698561) and GitHub (https://github.com/hacker-routing/cve/issues/1). The exploit has been publicly disclosed and may be actively used by attackers.