Cyber Resilience

CVE-2025-25759

High

Published: 27 February 2025

Published
27 February 2025
Modified
09 April 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0077 74.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25759 is a high-severity Path Traversal (CWE-22) vulnerability in Sucms Project Sucms. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-25759 affects the admin_template.php component in SUCMS version 1.0. The flaw permits directory traversal combined with arbitrary file deletion when an attacker supplies a specially crafted GET request, corresponding to CWE-22 and CWE-552. The vulnerability carries a CVSS 3.1 base score of 7.5 reflecting network attack vector, low complexity, and no required privileges or user interaction.

Unauthenticated remote attackers can exploit the issue to traverse directories and delete arbitrary files on the server, resulting in high integrity impact without affecting confidentiality or availability. Successful exploitation requires only the ability to reach the vulnerable endpoint over the network.

The single reference is a technical PDF hosted on GitHub that documents the finding; no vendor advisory or patch information is included in the available data. EPSS remains low, with a current score of 0.0077 and a peak of 0.0116, indicating limited observed exploitation interest to date.

EU & UK References

Vulnerability details

An issue in the component admin_template.php of SUCMS v1.0 allows attackers to execute a directory traversal and arbitrary file deletion via a crafted GET request.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Why these techniques?

Web-based path traversal enables remote exploitation of public-facing app (T1190) and direct arbitrary file deletion for indicator removal or data destruction (T1070.004, T1485).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-25760Same product: Sucms Project Sucms
CVE-2024-13194Same product: Sucms Project Sucms
CVE-2026-24969Shared CWE-22
CVE-2025-37168Shared CWE-552
CVE-2024-13910Shared CWE-22
CVE-2025-68907Shared CWE-22
CVE-2025-65879Shared CWE-22
CVE-2025-6989Shared CWE-22
CVE-2025-69990Shared CWE-552
CVE-2026-31913Shared CWE-22

Affected Assets

sucms project
sucms
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates crafted GET request parameters in admin_template.php to block directory traversal and prevent arbitrary file deletion.

prevent

Identifies, reports, and corrects the path traversal flaw in SUCMS v1.0's admin_template.php, eliminating the vulnerability root cause.

prevent

Restricts types and characteristics of GET request inputs to exclude path traversal sequences like '../' targeting arbitrary file deletion.

References