Cyber Resilience

CVE-2025-27783

High

Published: 19 March 2025

Published
19 March 2025
Modified
01 August 2025
KEV Added
Patch
CVSS Score v4 7.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.1536 94.8th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27783 is a high-severity Path Traversal (CWE-22) vulnerability in Applio Applio. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Applio, an open-source voice conversion tool, contains an arbitrary file write vulnerability in versions 3.2.8-bugfix and earlier. The flaw, tracked as CWE-22, resides in the training component implemented in tabs/train/train.py and permits path traversal that allows writing files to arbitrary locations on the server. It can be chained with unsafe deserialization to reach remote code execution.

An unauthenticated attacker can exploit the issue over the network by supplying crafted inputs to the training interface, resulting in file writes that may overwrite configuration, scripts, or other sensitive resources and potentially lead to full system compromise when combined with deserialization flaws.

Public references, including the GitHub Security Lab advisory GHSL-2024-341, point to the vulnerable code paths but state that no patches have been released as of publication. The affected project has not published mitigations or updated releases addressing the reported issue.

EPSS scores for the CVE reached a peak of 0.1951 before settling at the current value of 0.1536, indicating measurable post-disclosure exploitation interest that warrants monitoring.

EU & UK References

Vulnerability details

Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to arbitrary file write in train.py. This issue may lead to writing arbitrary files on the Applio server. It can also be used in conjunction with an unsafe…

more

deserialization to achieve remote code execution. As of time of publication, no known patches are available.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

Remote unauthenticated arbitrary file write in public-facing Applio server (T1190) chained with unsafe deserialization for Python-based RCE (T1059.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-27782Same product: Applio Applio
CVE-2025-27786Same product: Applio Applio
CVE-2025-27780Same product: Applio Applio
CVE-2025-27779Same product: Applio Applio
CVE-2025-27781Same product: Applio Applio
CVE-2025-27785Same product: Applio Applio
CVE-2025-27787Same product: Applio Applio
CVE-2025-27778Same product: Applio Applio
CVE-2025-27777Same product: Applio Applio
CVE-2025-27784Same product: Applio Applio

Affected Assets

applio
applio
≤ 3.2.8-bugfix

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Information input validation directly prevents path traversal attacks in train.py that enable arbitrary file writes.

prevent

Flaw remediation requires timely identification and patching of the arbitrary file write vulnerability in train.py and related components.

prevent

Least privilege limits the scope and impact of arbitrary file writes by restricting the Applio process's filesystem access permissions.

References