CVE-2025-2147
Published: 10 March 2025
Summary
CVE-2025-2147 is a medium-severity Forced Browsing (CWE-425) vulnerability in Caishixiong Modern Farm Digital Integrated Management System. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-14 (Public Access Protections).
Deeper analysis
CVE-2025-2147 is a vulnerability affecting Beijing Zhide Intelligent Internet Technology Modern Farm Digital Integrated Management System version 1.0. The issue resides in an unknown function across multiple endpoints, enabling files or directories to be accessible through manipulation. Classified as problematic, it maps to CWEs-425 (Unrestricted Upload of File with Dangerous Type) and CWE-552 (Files or Directories Accessible to External Parties), with a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
The vulnerability is exploitable remotely by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation grants limited access to confidential information, such as unauthorized file or directory disclosure, without impacting integrity or availability.
VulDB advisories indicate the vendor was contacted early about the disclosure but provided no response. The exploit has been publicly disclosed, including details in a GitHub repository, and may be actively used by attackers. No patches or mitigations are referenced in the available sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7521
Vulnerability details
A vulnerability was found in Beijing Zhide Intelligent Internet Technology Modern Farm Digital Integrated Management System 1.0. It has been classified as problematic. Affected is an unknown function. The manipulation leads to files or directories accessible. It is possible to…
more
launch the attack remotely. The exploit has been disclosed to the public and may be used. Multiple endpoints are affected. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is in a public-facing web application and allows remote unauthenticated access to files/directories via manipulation, directly enabling T1190 (exploiting public-facing apps) and facilitating T1083 (file/directory discovery) and T1005 (data from local system).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for logical access to system resources, directly preventing unauthorized remote disclosure of files and directories.
Validates inputs from external sources to block manipulation exploits like path traversal that enable file and directory access.
Enforces access controls specifically for public access to information, mitigating unauthorized disclosures via internet-facing endpoints.