CVE-2025-2147
Published: 10 March 2025
Summary
CVE-2025-2147 is a medium-severity Forced Browsing (CWE-425) vulnerability in Caishixiong Modern Farm Digital Integrated Management System. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-14 (Public Access Protections).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access to system resources, directly preventing unauthorized remote disclosure of files and directories.
Validates inputs from external sources to block manipulation exploits like path traversal that enable file and directory access.
Enforces access controls specifically for public access to information, mitigating unauthorized disclosures via internet-facing endpoints.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is in a public-facing web application and allows remote unauthenticated access to files/directories via manipulation, directly enabling T1190 (exploiting public-facing apps) and facilitating T1083 (file/directory discovery) and T1005 (data from local system).
NVD Description
A vulnerability was found in Beijing Zhide Intelligent Internet Technology Modern Farm Digital Integrated Management System 1.0. It has been classified as problematic. Affected is an unknown function. The manipulation leads to files or directories accessible. It is possible to…
more
launch the attack remotely. The exploit has been disclosed to the public and may be used. Multiple endpoints are affected. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2025-2147 is a vulnerability affecting Beijing Zhide Intelligent Internet Technology Modern Farm Digital Integrated Management System version 1.0. The issue resides in an unknown function across multiple endpoints, enabling files or directories to be accessible through manipulation. Classified as problematic, it maps to CWEs-425 (Unrestricted Upload of File with Dangerous Type) and CWE-552 (Files or Directories Accessible to External Parties), with a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
The vulnerability is exploitable remotely by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation grants limited access to confidential information, such as unauthorized file or directory disclosure, without impacting integrity or availability.
VulDB advisories indicate the vendor was contacted early about the disclosure but provided no response. The exploit has been publicly disclosed, including details in a GitHub repository, and may be actively used by attackers. No patches or mitigations are referenced in the available sources.
Details
- CWE(s)