Cyber Resilience

CVE-2025-27590

Critical

Published: 03 March 2025

Published
03 March 2025
Modified
10 March 2025
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.1700 95.1th percentile
Risk Priority 28 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27590 is a critical-severity Path Traversal (CWE-22) vulnerability in Oxidized Web Project Oxidized Web. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

In oxidized-web (also known as Oxidized Web) versions prior to 0.15.0, the RANCID migration page is vulnerable to path traversal (CWE-22), enabling an unauthenticated remote attacker to gain control over the underlying Linux user account that runs the oxidized-web process. The flaw carries a CVSS 3.1 score of 9.0 with network attack vector, high complexity, no required privileges or user interaction, and changed scope, resulting in high impact to confidentiality, integrity, and availability.

An attacker who can reach the web interface can exploit the migration page to read or write arbitrary files accessible to the oxidized-web user, thereby achieving full control of that account and any network devices or configuration data it manages. The attack requires no authentication and can be performed over the network, though the high complexity rating indicates specific conditions must be met for successful exploitation.

The referenced commit a5220a0ddc57b85cd122bffee228d3ed4901668e and the 0.15.0 release tag indicate that upgrading to oxidized-web 0.15.0 addresses the issue. The current and peak EPSS score of 0.17 shows moderate but stable exploitation probability without a documented rise after disclosure.

EU & UK References

Vulnerability details

In oxidized-web (aka Oxidized Web) before 0.15.0, the RANCID migration page allows an unauthenticated user to gain control over the Linux user account that is running oxidized-web.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The unauthenticated remote path traversal in the public-facing oxidized-web interface directly enables T1190 (Exploit Public-Facing Application) and facilitates T1068 (Exploitation for Privilege Escalation) by granting control over the Linux user account running the process, including arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-62630Shared CWE-22
CVE-2025-60786Shared CWE-22
CVE-2025-12422Shared CWE-22
CVE-2026-42520Shared CWE-22
CVE-2026-32727Shared CWE-22
CVE-2026-40258Shared CWE-22
CVE-2025-41757Shared CWE-22
CVE-2026-4858Shared CWE-22
CVE-2025-22130Shared CWE-22
CVE-2026-21227Shared CWE-22

Affected Assets

oxidized web project
oxidized web
≤ 0.15.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Limits unauthenticated actions to prevent access to the vulnerable RANCID migration page that enables Linux user account takeover.

prevent

Validates and sanitizes inputs to block path traversal exploits on the unauthenticated RANCID migration page.

prevent

Enforces access control policies to restrict unauthorized logical access to the sensitive migration functionality exploited in this CVE.

References