CVE-2025-25997
Published: 14 February 2025
Summary
CVE-2025-25997 is a high-severity Path Traversal (CWE-22) vulnerability in Feminer Wms Project Feminer Wms. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-25997 is a directory traversal vulnerability, tracked as CWE-22, that affects the databak.php component in FeMiner wms version 1.0. The flaw carries a CVSS 3.1 score of 7.5 and permits remote, unauthenticated retrieval of sensitive files from the underlying system.
An attacker with network access can supply crafted path sequences to databak.php and read arbitrary files without credentials or user interaction, resulting in high-impact confidentiality exposure while leaving integrity and availability unaffected.
The sole reference is a GitHub issue tracker entry for the project; no advisory text, patch details, or mitigation guidance is supplied in the available data. EPSS values have remained low, with a current score of 0.0213 and a peak of 0.0290, showing no material upward trajectory after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4147
Vulnerability details
Directory Traversal vulnerability in FeMiner wms v.1.0 allows a remote attacker to obtain sensitive information via the databak.php component.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directory traversal in public-facing web app (databak.php) directly enables remote unauthenticated file access outside intended paths, mapping to T1190 for initial exploitation and T1005 for resulting sensitive data collection from the local filesystem.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates directory traversal by validating file path inputs in databak.php to block traversal sequences like ../
Addresses the specific flaw in FeMiner wms v1.0 databak.php by identifying, reporting, and correcting the vulnerability through patching.
Enforces access controls to restrict unauthorized reading of sensitive files outside the intended directory even if traversal input is processed.