CVE-2025-34076
Published: 02 July 2025
Summary
CVE-2025-34076 is a medium-severity Path Traversal (CWE-22) vulnerability in Microweber Microweber. Its CVSS base score is 6.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Microweber CMS versions 1.2.11 and earlier contain an authenticated local file inclusion vulnerability in the backup management API. The flaw resides in the /api/BackupV2/upload and /api/BackupV2/download endpoints, which accept an attacker-controlled src parameter without sufficient path validation or access restrictions, allowing misuse of backup logic to interact with arbitrary filesystem paths.
Authenticated users can supply absolute file paths to relocate or delete target files via the upload endpoint and subsequently retrieve their contents through the download endpoint, resulting in local file disclosure. The issue is tracked as CWE-22 and carries a CVSS 4.0 score of 6.1 reflecting network-accessible exploitation by low-privileged users without user interaction.
Public references include two commits that address the path-handling deficiencies, a coordinated disclosure record on Huntr, and a Metasploit auxiliary module that implements the LFI technique. The associated EPSS score stands at 0.4876 with no material post-disclosure rise from a lower baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-19754
Vulnerability details
An authenticated local file inclusion vulnerability exists in Microweber CMS versions <= 1.2.11 through misuse of the backup management API. Authenticated users can abuse the /api/BackupV2/upload and /api/BackupV2/download endpoints to read arbitrary files from the underlying filesystem. By specifying an…
more
absolute file path in the src parameter of the upload request, the server may relocate or delete the target file depending on the web service user’s privileges. The corresponding download endpoint can then be used to retrieve the file contents, effectively enabling local file disclosure. This behavior stems from insufficient validation of user-supplied paths and inadequate restrictions on file access and backup logic.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The LFI vulnerability enables arbitrary file reads (T1005, T1081 for credentials in files), file deletion/relocation (T1070.004), via exploitation of a public-facing CMS application (T1190).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.