CVE-2025-26137

High

Published: 18 March 2025

Published

18 March 2025

Modified

01 April 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0051 66.5th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26137 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Systemic-Rm Risk Value. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 33.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of the ReportUrl parameter to block crafted file paths enabling local file inclusion and arbitrary file reads.

SI-9 Information Input Restrictions good match

prevent

Enforces restrictions on information inputs like ReportUrl at application boundaries to prevent path traversal to sensitive system files.

AC-3 Access Enforcement good match

prevent

Mandates enforcement of access authorizations to system resources, preventing unauthenticated access to arbitrary files via the vulnerable endpoint.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1552.001 Credentials In Files Credential Access

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

attack.mitre.org →

T1083 File and Directory Discovery Discovery

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

LFI vulnerability enables unauthenticated arbitrary file reads on the server, facilitating data collection from local system (T1005), discovery of credentials in files (T1081), file and directory discovery (T1083), and exploitation of public-facing web applications (T1190).

NVD Description

Systemic Risk Value <=2.8.0 is vulnerable to Local File Inclusion via /GetFile.aspx?ReportUrl=. An unauthenticated attacker can exploit this issue to read arbitrary system files by supplying a crafted file path, potentially exposing sensitive information.

Deeper analysisAI

CVE-2025-26137, published on 2025-03-18, affects Systemic Risk Value versions <=2.8.0 and involves a Local File Inclusion vulnerability via the /GetFile.aspx?ReportUrl= endpoint. Classified under CWE-98, it allows an unauthenticated attacker to read arbitrary system files by supplying a crafted file path in the ReportUrl parameter. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility, low attack complexity, and no privileges or user interaction required.

An unauthenticated attacker can exploit this issue remotely by sending a malicious request to the vulnerable endpoint, traversing the file system to access sensitive files such as configuration data, logs, or other system resources. Successful exploitation could lead to the disclosure of sensitive information, enabling further reconnaissance or attacks depending on the exposed data.

Further details, including potential proof-of-concept code, are available in the GitHub repository at https://github.com/Arakiba/CVEs/tree/main/CVE-2025-26137. No vendor-specific patches or mitigation guidance are detailed in the provided information.