CVE-2025-50857
Published: 26 February 2026
Summary
CVE-2025-50857 is a critical-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other Platforms; in the Other ATLAS/OWASP Terms risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).
Deeper analysis
ZenTaoPMS versions 18.11 through 21.6.beta contain a directory traversal flaw in /module/ai/control.php that permits arbitrary code execution through a crafted file upload. The issue is tracked as CVE-2025-50857 with a CVSS 3.1 base score of 9.8 and is classified under CWE-22.
Unauthenticated remote attackers can exploit the vulnerability over the network without user interaction to read, write, or delete files and ultimately run arbitrary code on the server. The EPSS score remains flat at 0.0117 with no material increase after disclosure.
Public references consist of proof-of-concept material hosted on GitHub but contain no vendor advisory or patch guidance.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208123
Vulnerability details
ZenTaoPMS v18.11 through v21.6.beta is vulnerable to Directory Traversal in /module/ai/control.php. This allows attackers to execute arbitrary code via a crafted file upload
- CWE(s)
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a directory traversal in a public-facing web application (/module/ai/control.php) enabling unauthenticated remote code execution via crafted file upload, directly mapping to T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces validation of file paths and names supplied in uploads to /module/ai/control.php, directly blocking the directory traversal sequences used for arbitrary code execution.
Enforces access-control decisions on the unauthenticated endpoint, preventing remote attackers from reaching the vulnerable upload handler without proper authorization.
Restricts unnecessary upload or AI-module functionality, reducing the attack surface that allows crafted files to traverse directories and execute code.