CVE-2025-15589
Published: 24 February 2026
Summary
CVE-2025-15589 is a medium-severity Path Traversal (CWE-22) vulnerability in Muyucms Muyucms. Its CVSS base score is 5.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data Destruction (T1485); ranked at the 39.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-15589 is a path traversal vulnerability (CWE-22) affecting MuYuCMS version 2.7. The issue resides in the delete_dir_file function within the file application/admin/controller/Template.php of the Template Management Page. It arises from manipulation of the temn/tp argument, enabling attackers to traverse directories outside the intended path.
The vulnerability is exploitable remotely over the network (AV:N) with low attack complexity (AC:L), but requires high privileges (PR:H) and no user interaction (UI:N). Exploitation remains in the same security scope (S:U) and results in no confidentiality impact (C:N), low integrity impact (I:L), and low availability impact (A:L), yielding a CVSS v3.1 base score of 3.8.
Advisories from VulDB and related disclosures indicate that a proof-of-concept exploit has been publicly released on GitHub, which may be utilized by attackers. The vendor was contacted early regarding the issue but provided no response, and no patches or official mitigations are available.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207549
Vulnerability details
A vulnerability was determined in MuYuCMS 2.7. Affected is the function delete_dir_file of the file application/admin/controller/Template.php of the component Template Management Page. This manipulation of the argument temn/tp causes path traversal. It is possible to initiate the attack remotely. The…
more
exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in delete_dir_file enables arbitrary file/directory deletion, directly supporting data destruction (T1485) and file deletion for defense evasion (T1070.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks the path traversal by validating the temn/tp argument in delete_dir_file before any directory operations occur.
Enforces strict access control policies on file-system operations within the Template Management controller so traversal outside the intended directory is denied.
Limits the privileges granted to the Template Management function, reducing the ability of even an authenticated high-privilege account to perform arbitrary directory deletions.