CVE-2025-25759
Published: 27 February 2025
Summary
CVE-2025-25759 is a high-severity Path Traversal (CWE-22) vulnerability in Sucms Project Sucms. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-25759 affects the admin_template.php component in SUCMS version 1.0. The flaw permits directory traversal combined with arbitrary file deletion when an attacker supplies a specially crafted GET request, corresponding to CWE-22 and CWE-552. The vulnerability carries a CVSS 3.1 base score of 7.5 reflecting network attack vector, low complexity, and no required privileges or user interaction.
Unauthenticated remote attackers can exploit the issue to traverse directories and delete arbitrary files on the server, resulting in high integrity impact without affecting confidentiality or availability. Successful exploitation requires only the ability to reach the vulnerable endpoint over the network.
The single reference is a technical PDF hosted on GitHub that documents the finding; no vendor advisory or patch information is included in the available data. EPSS remains low, with a current score of 0.0077 and a peak of 0.0116, indicating limited observed exploitation interest to date.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5473
Vulnerability details
An issue in the component admin_template.php of SUCMS v1.0 allows attackers to execute a directory traversal and arbitrary file deletion via a crafted GET request.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Web-based path traversal enables remote exploitation of public-facing app (T1190) and direct arbitrary file deletion for indicator removal or data destruction (T1070.004, T1485).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly validates crafted GET request parameters in admin_template.php to block directory traversal and prevent arbitrary file deletion.
Identifies, reports, and corrects the path traversal flaw in SUCMS v1.0's admin_template.php, eliminating the vulnerability root cause.
Restricts types and characteristics of GET request inputs to exclude path traversal sequences like '../' targeting arbitrary file deletion.