Cyber Resilience

CVE-2025-2651

MediumPublic PoC

Published: 23 March 2025

Published
23 March 2025
Modified
14 May 2025
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0029 53.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2651 is a medium-severity Exposure of Information Through Directory Listing (CWE-548) vulnerability in Oretnom23 Online Eyewear Shop. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique File and Directory Discovery (T1083); ranked in the top 46.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

A vulnerability, which was classified as problematic, was found in SourceCodester Online Eyewear Shop 1.0. Affected is an unknown function of the file /oews/admin/. The manipulation leads to exposure of information through directory listing. It is possible to launch the…

more

attack remotely. The exploit has been disclosed to the public and may be used. It is recommended to change the configuration settings. Multiple sub-directories are affected.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Why these techniques?

Directory listing and traversal vulnerability in /oews/admin/ exposes files and directories remotely without authentication, enabling File and Directory Discovery (T1083) as explicitly mapped in advisories.

Affected Assets

oretnom23
online eyewear shop
1.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-552

Controls on authorized publication limit files and directories with nonpublic data from becoming accessible to external parties.

addresses: CWE-548

Detects information exposure through directory listings as unauthorized disclosure.

addresses: CWE-552

Controlling and documenting P2P file sharing prevents files and directories from being made accessible to external parties for unauthorized distribution.

addresses: CWE-552

Identifying and documenting file and directory locations allows restriction of access to external parties.

addresses: CWE-552

Protecting backup files ensures they are not accessible to external parties or unauthorized spheres.

addresses: CWE-552

Sanitizing equipment before off-site maintenance reduces the risk of files or directories containing sensitive data becoming accessible to external parties.

addresses: CWE-552

Policy restricts media access to authorized parties only, preventing exposure of resources to external or unauthorized actors.

addresses: CWE-552

Media access restrictions prevent files or directories from being accessible to external parties.

References