Cyber Resilience

CVE-2025-34076

MediumPublic PoC

Published: 02 July 2025

Published
02 July 2025
Modified
20 August 2025
KEV Added
Patch
CVSS Score v4 6.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.4876 97.8th percentile
Risk Priority 41 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-34076 is a medium-severity Path Traversal (CWE-22) vulnerability in Microweber Microweber. Its CVSS base score is 6.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Microweber CMS versions 1.2.11 and earlier contain an authenticated local file inclusion vulnerability in the backup management API. The flaw resides in the /api/BackupV2/upload and /api/BackupV2/download endpoints, which accept an attacker-controlled src parameter without sufficient path validation or access restrictions, allowing misuse of backup logic to interact with arbitrary filesystem paths.

Authenticated users can supply absolute file paths to relocate or delete target files via the upload endpoint and subsequently retrieve their contents through the download endpoint, resulting in local file disclosure. The issue is tracked as CWE-22 and carries a CVSS 4.0 score of 6.1 reflecting network-accessible exploitation by low-privileged users without user interaction.

Public references include two commits that address the path-handling deficiencies, a coordinated disclosure record on Huntr, and a Metasploit auxiliary module that implements the LFI technique. The associated EPSS score stands at 0.4876 with no material post-disclosure rise from a lower baseline.

EU & UK References

Vulnerability details

An authenticated local file inclusion vulnerability exists in Microweber CMS versions <= 1.2.11 through misuse of the backup management API. Authenticated users can abuse the /api/BackupV2/upload and /api/BackupV2/download endpoints to read arbitrary files from the underlying filesystem. By specifying an…

more

absolute file path in the src parameter of the upload request, the server may relocate or delete the target file depending on the web service user’s privileges. The corresponding download endpoint can then be used to retrieve the file contents, effectively enabling local file disclosure. This behavior stems from insufficient validation of user-supplied paths and inadequate restrictions on file access and backup logic.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The LFI vulnerability enables arbitrary file reads (T1005, T1081 for credentials in files), file deletion/relocation (T1070.004), via exploitation of a public-facing CMS application (T1190).

Affected Assets

microweber
microweber
≤ 1.2.11

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References