Cyber Resilience

CVE-2025-22152

CriticalRCE

Published: 10 January 2025

Published
10 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0063 45.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-22152 is a critical-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-22152 is a high-severity vulnerability in Atheos, a self-hosted browser-based cloud IDE, affecting versions prior to v600. It arises from improper validation of the $path and $target parameters across multiple components, enabling path traversal (CWE-22), code injection (CWE-94), and unquoted search path or element issues (CWE-434). These flaws exist in various PHP files and allow attackers to read, modify, or execute arbitrary files on the server. The CVSS v3.1 base score is 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), reflecting critical impacts with changed scope.

A privileged user (PR:H) can exploit this over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation grants the ability to perform arbitrary file reads, modifications, or executions, potentially leading to complete server compromise, including data exfiltration, persistence, or further lateral movement.

The issue is addressed in Atheos v600, which includes fixes for parameter validation. Additional details are available in the GitHub security advisory at https://github.com/Atheos/Atheos/security/advisories/GHSA-rgjm-6p59-537v.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Atheos is a self-hosted browser-based cloud IDE. Prior to v600, the $path and $target parameters are not properly validated across multiple components, allowing an attacker to read, modify, or execute arbitrary files on the server. These vulnerabilities can be exploited…

more

through various attack vectors present in multiple PHP files. This vulnerability is fixed in v600.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Path traversal + code injection in public-facing PHP web IDE directly enables remote exploitation (T1190) and arbitrary file execution for web shell deployment (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34607Shared CWE-22
CVE-2015-10144Shared CWE-434
CVE-2026-37748Shared CWE-434
CVE-2025-49387Shared CWE-434
CVE-2022-41573Shared CWE-434
CVE-2025-68549Shared CWE-434
CVE-2025-14894Shared CWE-434
CVE-2025-65783Shared CWE-434
CVE-2025-52744Shared CWE-94
CVE-2025-25790Shared CWE-434

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the core issue of improper validation of $path and $target parameters, preventing path traversal, code injection, and arbitrary file operations.

prevent

Ensures timely identification, reporting, and patching of the specific flaw fixed in Atheos v600, blocking exploitation of the vulnerability.

prevent

Restricts input types and values at application boundaries to valid paths and targets, complementing validation to block traversal and injection attempts.

References