Cyber Resilience

CVE-2025-45238

CriticalPublic PoC

Published: 05 May 2025

Published
05 May 2025
Modified
12 June 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0194 83.8th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-45238 is a critical-severity Path Traversal (CWE-22) vulnerability in Qianfox Foxcms. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 16.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

foxcms version 1.2.5 contains an arbitrary file deletion vulnerability in the delRestoreSerie method. The flaw is tracked as CVE-2025-45238 with CWE-22 and carries a CVSS 3.1 score of 9.1, reflecting network-accessible attack vectors that require no authentication or user interaction.

An unauthenticated remote attacker can invoke the affected method to supply arbitrary paths, resulting in deletion of files on the server. Successful exploitation produces high impact on integrity and availability while leaving confidentiality untouched.

The associated EPSS score remains low at 0.0194 with no material increase since disclosure. Public references consist of a GitHub gist and the project repository on Gitee, neither of which details patches or mitigation steps.

EU & UK References

Vulnerability details

foxcms v1.2.5 was discovered to contain an arbitrary file deletion vulnerability via the delRestoreSerie method.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

qianfox
foxcms
1.2.5

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References