CVE-2025-27590
Published: 03 March 2025
Summary
CVE-2025-27590 is a critical-severity Path Traversal (CWE-22) vulnerability in Oxidized Web Project Oxidized Web. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
In oxidized-web (also known as Oxidized Web) versions prior to 0.15.0, the RANCID migration page is vulnerable to path traversal (CWE-22), enabling an unauthenticated remote attacker to gain control over the underlying Linux user account that runs the oxidized-web process. The flaw carries a CVSS 3.1 score of 9.0 with network attack vector, high complexity, no required privileges or user interaction, and changed scope, resulting in high impact to confidentiality, integrity, and availability.
An attacker who can reach the web interface can exploit the migration page to read or write arbitrary files accessible to the oxidized-web user, thereby achieving full control of that account and any network devices or configuration data it manages. The attack requires no authentication and can be performed over the network, though the high complexity rating indicates specific conditions must be met for successful exploitation.
The referenced commit a5220a0ddc57b85cd122bffee228d3ed4901668e and the 0.15.0 release tag indicate that upgrading to oxidized-web 0.15.0 addresses the issue. The current and peak EPSS score of 0.17 shows moderate but stable exploitation probability without a documented rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5558
Vulnerability details
In oxidized-web (aka Oxidized Web) before 0.15.0, the RANCID migration page allows an unauthenticated user to gain control over the Linux user account that is running oxidized-web.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The unauthenticated remote path traversal in the public-facing oxidized-web interface directly enables T1190 (Exploit Public-Facing Application) and facilitates T1068 (Exploitation for Privilege Escalation) by granting control over the Linux user account running the process, including arbitrary code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Limits unauthenticated actions to prevent access to the vulnerable RANCID migration page that enables Linux user account takeover.
Validates and sanitizes inputs to block path traversal exploits on the unauthenticated RANCID migration page.
Enforces access control policies to restrict unauthorized logical access to the sensitive migration functionality exploited in this CVE.