CVE-2025-22923
Published: 02 April 2025
Summary
CVE-2025-22923 is a high-severity Path Traversal (CWE-22) vulnerability in Os4Ed Opensis. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique File Deletion (T1070.004); ranked in the top 19.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2025-22923 is a path traversal vulnerability affecting OS4ED openSIS versions 8.0 through 9.1. The flaw exists in the staff user module and allows directory traversal during file removal operations when a crafted POST request is sent to the endpoint /Modules.php?modname=users/Staff.php&removefile. It is tracked under CWE-22 and carries a CVSS 3.1 score of 8.8.
An authenticated attacker with low privileges can exploit the issue remotely with low attack complexity and no user interaction required. Successful exploitation enables deletion of arbitrary files on the server, producing high impact across confidentiality, integrity, and availability.
Public references consist of the openSIS project repository and a vulnerability-research repository that documents the finding; no official advisories or patch information are included in the provided sources. The associated EPSS scores remain low, with a current value of 0.0132 and a recorded peak of 0.0190.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-9653
Vulnerability details
An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execute a directory traversal and delete files by sending a crafted POST request to /Modules.php?modname=users/Staff.php&removefile.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables exploitation of a public-facing web application (T1190) via directory traversal to perform arbitrary file deletion (T1070.004) for indicator removal.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.