Cyber Posture

CVE-2025-27092

HighPublic PoC

Published: 19 February 2025

Published
19 February 2025
Modified
27 February 2025
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0057 68.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27092 is a high-severity Path Traversal (CWE-22) vulnerability in Cmu Ghosts. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 31.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validation and sanitization of photoLink inputs to prevent processing of path traversal sequences like ../ in the NPC creation process.

AC-3 Access Enforcement partial match
prevent

Enforces access control policies to restrict the photo retrieval endpoint to only files within the intended directory, blocking unauthorized file access.

AC-6 Least Privilege partial match
prevent

Applies least privilege to the web application process, limiting readable files and reducing the impact of successful path traversal to sensitive data.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
Why these techniques?

Path traversal in public-facing API endpoint enables remote unauthenticated arbitrary file reads from server filesystem, directly supporting T1190 (Exploit Public-Facing Application) for initial access and T1005 (Data from Local System) for collection of sensitive files like configs or credentials.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

GHOSTS is an open source user simulation framework for cyber experimentation, simulation, training, and exercise. A path traversal vulnerability was discovered in GHOSTS version 8.0.0.0 that allows an attacker to access files outside of the intended directory through the photo…

more

retrieval endpoint. The vulnerability exists in the /api/npcs/{id}/photo endpoint, which is designed to serve profile photos for NPCs (Non-Player Characters) but fails to properly validate and sanitize file paths. When an NPC is created with a specially crafted photoLink value containing path traversal sequences (../, ..\, etc.), the application processes these sequences without proper sanitization. This allows an attacker to traverse directory structures and access files outside of the intended photo directory, potentially exposing sensitive system files. The vulnerability is particularly severe because it allows reading arbitrary files from the server's filesystem with the permissions of the web application process, which could include configuration files, credentials, or other sensitive data. This issue has been addressed in version 8.2.7.90 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Deeper analysisAI

CVE-2025-27092 is a path traversal vulnerability (CWE-22) affecting GHOSTS version 8.0.0.0, an open source user simulation framework developed for cyber experimentation, simulation, training, and exercise. The issue resides in the /api/npcs/{id}/photo endpoint, which serves profile photos for Non-Player Characters (NPCs) but fails to properly validate and sanitize file paths. Specifically, when an NPC is created with a specially crafted photoLink value containing path traversal sequences such as ../ or ..\, the application processes these without sanitization, enabling access to files outside the intended photo directory.

The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating it is exploitable remotely over the network with low complexity, no privileges or user interaction required, and high confidentiality impact. Any unauthenticated attacker with network access to the GHOSTS instance can exploit this by creating an NPC with a malicious photoLink and then requesting the photo endpoint, allowing them to read arbitrary files from the server's filesystem under the permissions of the web application process. This could expose sensitive data such as configuration files or credentials.

The vulnerability has been addressed in GHOSTS version 8.2.7.90, and all users are advised to upgrade immediately, as no workarounds are available. Details on the fix are provided in the GitHub commit e69827556a52ff813de00e1017c4b62598d2c887 and the security advisory at GHSA-qr67-m6w9-wj3j.

Details

CWE(s)
CWE-22

Affected Products

cmu
ghosts
8.0.0 — 8.2.7.90

CVEs Like This One

CVE-2026-23536Shared CWE-22
CVE-2025-23422Shared CWE-22
CVE-2025-8343Shared CWE-22
CVE-2025-10559Shared CWE-22
CVE-2025-67076Shared CWE-22
CVE-2026-5258Shared CWE-22
CVE-2025-25155Shared CWE-22
CVE-2024-51376Shared CWE-22
CVE-2024-13471Shared CWE-22
CVE-2026-27442Shared CWE-22

References