CVE-2025-22927
Published: 03 April 2025
Summary
CVE-2025-22927 is a critical-severity Path Traversal (CWE-22) vulnerability in Os4Ed Opensis. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2025-22927 is a path traversal vulnerability (CWE-22) affecting OS4ED openSIS versions 8.0 through 9.1. The flaw resides in the messaging module and can be triggered by an unauthenticated POST request to /Modules.php?modname=messaging/Inbox.php&modfunc=save&filename containing directory-traversal sequences in the filename parameter. The issue carries a CVSS 3.1 base score of 9.1, reflecting network attack vector, low complexity, and no required privileges or user interaction, with high impact on confidentiality and integrity.
An attacker can send a crafted request to read or write arbitrary files on the server filesystem outside the web root. Successful exploitation grants the ability to access sensitive configuration files, source code, or user data and potentially to upload or modify application files, all without authentication.
The supplied references point to the openSIS-Classic GitHub repository and a public vulnerability-research repository containing further technical details; no vendor advisory or patch information is included in the provided references. The associated EPSS score remains low, moving only from 0.0166 to a peak of 0.0172.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-9613
Vulnerability details
An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execute a directory traversal by sending a crafted POST request to /Modules.php?modname=messaging/Inbox.php&modfunc=save&filename.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The directory traversal vulnerability in the public-facing openSIS web application (T1190) enables unauthorized file and directory discovery (T1083) via crafted requests.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.