CVE-2025-41714
Published: 10 September 2025
Summary
CVE-2025-41714 is a high-severity Path Traversal (CWE-22) vulnerability in Certvde (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-9 (Information Input Restrictions).
Deeper analysis
The vulnerability CVE-2025-41714 is a path traversal flaw (CWE-22) in an upload endpoint that fails to properly validate the Upload-Key request header. An authenticated attacker can supply traversal sequences that cause upload-related artifacts to be written outside the intended storage directory. In certain configurations this can result in arbitrary file write and may be escalated to remote code execution. The issue carries a CVSS 3.1 base score of 8.8.
An authenticated remote attacker can exploit the weakness over the network without user interaction by crafting malicious Upload-Key headers. Successful exploitation grants the ability to place files in arbitrary locations on the server, potentially leading to full compromise of confidentiality, integrity, and availability.
The sole referenced advisory is VDE-2025-085 published by CERT@VDE; it contains the authoritative guidance on affected products and any available mitigations or patches.
EPSS remains flat at 0.0119 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-27517
Vulnerability details
The upload endpoint insufficiently validates the 'Upload-Key' request header. By supplying path traversal sequences, an authenticated attacker can cause the server to create upload-related artifacts outside the intended storage location. In certain configurations this enables arbitrary file write and may…
more
be leveraged to achieve remote code execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public upload endpoint directly enables remote exploitation of server app (T1190) and arbitrary file writes for tool ingress (T1105) or web shell deployment (T1505.003) leading to RCE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of the 'Upload-Key' request header to block path traversal sequences and confine uploads to intended storage.
Enforces restrictions on 'Upload-Key' inputs such as allowed characters and patterns to prevent traversal payloads like '../'.
Mandates enforcement of access controls to restrict file creation and writes to authorized storage locations only.