CVE-2025-2652
Published: 23 March 2025
Summary
CVE-2025-2652 is a medium-severity Exposure of Information Through Directory Listing (CWE-548) vulnerability in Oretnom23 Employee And Visitor Gate Pass Logging System. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique File and Directory Discovery (T1083); ranked at the 41.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Establishes and enforces secure configuration settings on web servers to disable directory listing, directly preventing remote exposure of directory contents in the affected sub-directories.
Restricts web servers to least functionality by prohibiting unnecessary features like directory browsing, mitigating the information disclosure vulnerability.
Controls and reviews publicly accessible content to ensure directory listings do not expose sensitive file names, paths, or configuration details without authorization.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The directory listing exposure directly enables remote unauthenticated File and Directory Discovery (T1083) by disclosing file names, paths, and configuration details.
NVD Description
A vulnerability has been found in SourceCodester Employee and Visitor Gate Pass Logging System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to exposure of information through directory listing. The attack can…
more
be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to change the configuration settings. Multiple sub-directories are affected.
Deeper analysisAI
CVE-2025-2652 is a vulnerability in SourceCodester Employee and Visitor Gate Pass Logging System 1.0, classified as problematic due to exposure of information through directory listing. It affects an unknown functionality across multiple sub-directories, enabling remote attackers to access sensitive directory contents without authentication.
The vulnerability can be exploited remotely by unauthenticated attackers with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). Successful exploitation allows attackers to view directory listings, potentially disclosing file names, paths, or other configuration details that could aid further reconnaissance or attacks.
Advisories recommend changing configuration settings to mitigate the issue, such as disabling directory listing on affected web servers. The exploit has been publicly disclosed, with details available on platforms like GitHub and VulDB, increasing the risk of widespread use.
Details
- CWE(s)