Cyber Resilience

CVE-2025-22926

Critical

Published: 03 April 2025

Published
03 April 2025
Modified
30 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0103 77.7th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22926 is a critical-severity Path Traversal (CWE-22) vulnerability in Os4Ed Opensis. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2025-22926 is a directory traversal vulnerability, tracked as CWE-22, that affects the openSIS student information system from OS4ED in versions 8.0 through 9.1. The flaw resides in the messaging component and can be triggered by a crafted POST request to the endpoint /Modules.php?modname=messaging/Inbox.php&modfunc=save&filename. It carries a CVSS 3.1 base score of 9.8, reflecting network-accessible attack vectors with no required authentication or user interaction and full impact on confidentiality, integrity, and availability.

An unauthenticated remote attacker can supply a malicious filename parameter in the POST request to traverse directories on the underlying server. Successful exploitation allows the attacker to read or write arbitrary files, potentially leading to source-code disclosure, configuration theft, or full system compromise depending on the web-server privileges and file-system permissions.

The two public references point to the openSIS-Classic GitHub repository and a dedicated vulnerability-research repository that documents the issue; neither reference supplies vendor advisories, patch details, or mitigation guidance. The associated EPSS score remains low, with a current value of 0.0103 and a recorded peak of 0.0178.

EU & UK References

Vulnerability details

An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execute a directory traversal by sending a crafted POST request to /Modules.php?modname=messaging/Inbox.php&modfunc=save&filename.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Directory traversal in file save endpoint enables exploitation of public-facing web application (T1190) and facilitates web shell deployment (T1100) via arbitrary file write.

Affected Assets

os4ed
opensis
8.0 — 9.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References