Cyber Resilience

CVE-2025-22927

Critical

Published: 03 April 2025

Published
03 April 2025
Modified
17 July 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0166 82.5th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22927 is a critical-severity Path Traversal (CWE-22) vulnerability in Os4Ed Opensis. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2025-22927 is a path traversal vulnerability (CWE-22) affecting OS4ED openSIS versions 8.0 through 9.1. The flaw resides in the messaging module and can be triggered by an unauthenticated POST request to /Modules.php?modname=messaging/Inbox.php&modfunc=save&filename containing directory-traversal sequences in the filename parameter. The issue carries a CVSS 3.1 base score of 9.1, reflecting network attack vector, low complexity, and no required privileges or user interaction, with high impact on confidentiality and integrity.

An attacker can send a crafted request to read or write arbitrary files on the server filesystem outside the web root. Successful exploitation grants the ability to access sensitive configuration files, source code, or user data and potentially to upload or modify application files, all without authentication.

The supplied references point to the openSIS-Classic GitHub repository and a public vulnerability-research repository containing further technical details; no vendor advisory or patch information is included in the provided references. The associated EPSS score remains low, moving only from 0.0166 to a peak of 0.0172.

EU & UK References

Vulnerability details

An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execute a directory traversal by sending a crafted POST request to /Modules.php?modname=messaging/Inbox.php&modfunc=save&filename.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Why these techniques?

The directory traversal vulnerability in the public-facing openSIS web application (T1190) enables unauthorized file and directory discovery (T1083) via crafted requests.

Affected Assets

os4ed
opensis
8.0 — 9.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References