Cyber Posture

CVE-2025-50857

Critical

Published: 26 February 2026

Published
26 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0117 78.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-50857 is a critical-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Other AI Platforms.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validation of user-supplied inputs like file paths, directly preventing directory traversal in the crafted file upload to /module/ai/control.php.

SI-2 Flaw Remediation good match
prevent

Mandates timely identification, reporting, and correction of flaws, directly remediating the directory traversal vulnerability leading to arbitrary code execution.

SC-7 Boundary Protection partial match
prevent

Boundary protection with web application firewalls can inspect and block network requests containing directory traversal sequences in file uploads.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability is a directory traversal in a public-facing web application (/module/ai/control.php) enabling unauthenticated remote code execution via crafted file upload, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

ZenTaoPMS v18.11 through v21.6.beta is vulnerable to Directory Traversal in /module/ai/control.php. This allows attackers to execute arbitrary code via a crafted file upload

Deeper analysisAI

ZenTaoPMS versions v18.11 through v21.6.beta are affected by CVE-2025-50857, a directory traversal vulnerability (CWE-22) in the /module/ai/control.php component. This flaw allows attackers to execute arbitrary code through a crafted file upload.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical. Unauthenticated remote attackers can exploit it over the network with low attack complexity and no user interaction required, achieving high-impact arbitrary code execution that compromises confidentiality, integrity, and availability.

References provided include a GitHub gist at https://gist.github.com/sorzs/c67a3dcaa9adb49266d5ff52a04d904b and a repository file at https://github.com/sorzs/test/blob/main/read_and_delete, which appear to demonstrate the vulnerability, such as through read and delete operations. No specific patch or mitigation guidance is detailed in the available information.

Details

CWE(s)
CWE-22

AI Security AnalysisAI

AI Category
Other AI Platforms
Risk Domain
N/A
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

CVEs Like This One

CVE-2026-27897Shared CWE-22
CVE-2026-24478Shared CWE-22
CVE-2026-25592Shared CWE-22
CVE-2024-36512Shared CWE-22
CVE-2025-14727Shared CWE-22
CVE-2025-36236Shared CWE-22
CVE-2025-7360Shared CWE-22
CVE-2025-7712Shared CWE-22
CVE-2024-39786Shared CWE-22
CVE-2025-64057Shared CWE-22

References