Cyber Resilience

CVE-2025-15589

MediumPublic PoC

Published: 24 February 2026

Published
24 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v4 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0018 39.7th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-15589 is a medium-severity Path Traversal (CWE-22) vulnerability in Muyucms Muyucms. Its CVSS base score is 5.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data Destruction (T1485); ranked at the 39.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-15589 is a path traversal vulnerability (CWE-22) affecting MuYuCMS version 2.7. The issue resides in the delete_dir_file function within the file application/admin/controller/Template.php of the Template Management Page. It arises from manipulation of the temn/tp argument, enabling attackers to traverse directories outside the intended path.

The vulnerability is exploitable remotely over the network (AV:N) with low attack complexity (AC:L), but requires high privileges (PR:H) and no user interaction (UI:N). Exploitation remains in the same security scope (S:U) and results in no confidentiality impact (C:N), low integrity impact (I:L), and low availability impact (A:L), yielding a CVSS v3.1 base score of 3.8.

Advisories from VulDB and related disclosures indicate that a proof-of-concept exploit has been publicly released on GitHub, which may be utilized by attackers. The vendor was contacted early regarding the issue but provided no response, and no patches or official mitigations are available.

EU & UK References

Vulnerability details

A vulnerability was determined in MuYuCMS 2.7. Affected is the function delete_dir_file of the file application/admin/controller/Template.php of the component Template Management Page. This manipulation of the argument temn/tp causes path traversal. It is possible to initiate the attack remotely. The…

more

exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
Why these techniques?

Path traversal in delete_dir_file enables arbitrary file/directory deletion, directly supporting data destruction (T1485) and file deletion for defense evasion (T1070.004).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-68862Shared CWE-22
CVE-2025-13377Shared CWE-22
CVE-2026-27040Shared CWE-22
CVE-2024-13897Shared CWE-22
CVE-2026-24135Shared CWE-22
CVE-2026-24969Shared CWE-22
CVE-2024-13910Shared CWE-22
CVE-2025-68907Shared CWE-22
CVE-2025-5391Shared CWE-22
CVE-2025-65879Shared CWE-22

Affected Assets

muyucms
muyucms
2.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks the path traversal by validating the temn/tp argument in delete_dir_file before any directory operations occur.

prevent

Enforces strict access control policies on file-system operations within the Template Management controller so traversal outside the intended directory is denied.

prevent

Limits the privileges granted to the Template Management function, reducing the ability of even an authenticated high-privilege account to perform arbitrary directory deletions.

References