CVE-2025-27590

Critical

Published: 03 March 2025

Published

03 March 2025

Modified

10 March 2025

KEV Added

—

Patch

—

CVSS Score 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.1340 94.2th percentile

Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27590 is a critical-severity Path Traversal (CWE-22) vulnerability in Oxidized Web Project Oxidized Web. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Limits unauthenticated actions to prevent access to the vulnerable RANCID migration page that enables Linux user account takeover.

SI-10 Information Input Validation good match

prevent

Validates and sanitizes inputs to block path traversal exploits on the unauthenticated RANCID migration page.

AC-3 Access Enforcement good match

prevent

Enforces access control policies to restrict unauthorized logical access to the sensitive migration functionality exploited in this CVE.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

The unauthenticated remote path traversal in the public-facing oxidized-web interface directly enables T1190 (Exploit Public-Facing Application) and facilitates T1068 (Exploitation for Privilege Escalation) by granting control over the Linux user account running the process, including arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

In oxidized-web (aka Oxidized Web) before 0.15.0, the RANCID migration page allows an unauthenticated user to gain control over the Linux user account that is running oxidized-web.

Deeper analysisAI

CVE-2025-27590 affects oxidized-web (also known as Oxidized Web) versions prior to 0.15.0, a web interface for the Oxidized network configuration backup tool. The vulnerability resides in the RANCID migration page, which enables an unauthenticated user to gain control over the Linux user account running the oxidized-web process. It has been assigned a CVSS v3.1 base score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) and is associated with CWE-22 (Path Traversal), as indicated by NVD-CWE-noinfo. The issue was published on 2025-03-03.

An attacker can exploit this vulnerability remotely over the network without authentication or user interaction, though it requires high attack complexity. Successful exploitation grants the attacker control over the underlying Linux user account executing oxidized-web, potentially leading to high-impact confidentiality, integrity, and availability violations with a changed scope, such as arbitrary code execution or privilege escalation within the application's context.

Mitigation is available via the oxidized-web release 0.15.0, which addresses the flaw as detailed in the associated GitHub commit a5220a0ddc57b85cd122bffee228d3ed4901668e. Security practitioners should upgrade to version 0.15.0 or later to remediate the vulnerability.