Cyber Resilience

CVE-2025-50857

Critical

Published: 26 February 2026

Published
26 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0229 81.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-50857 is a critical-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Other Platforms; in the Other ATLAS/OWASP Terms risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).

Deeper analysis

ZenTaoPMS versions 18.11 through 21.6.beta contain a directory traversal flaw in /module/ai/control.php that permits arbitrary code execution through a crafted file upload. The issue is tracked as CVE-2025-50857 with a CVSS 3.1 base score of 9.8 and is classified under CWE-22.

Unauthenticated remote attackers can exploit the vulnerability over the network without user interaction to read, write, or delete files and ultimately run arbitrary code on the server. The EPSS score remains flat at 0.0117 with no material increase after disclosure.

Public references consist of proof-of-concept material hosted on GitHub but contain no vendor advisory or patch guidance.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

ZenTaoPMS v18.11 through v21.6.beta is vulnerable to Directory Traversal in /module/ai/control.php. This allows attackers to execute arbitrary code via a crafted file upload

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Other ATLAS/OWASP Terms
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a directory traversal in a public-facing web application (/module/ai/control.php) enabling unauthenticated remote code execution via crafted file upload, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-8756Shared CWE-22
CVE-2026-2033Shared CWE-22
CVE-2025-10488Shared CWE-22
CVE-2025-11201Shared CWE-22
CVE-2025-2505Shared CWE-22
CVE-2026-5841Shared CWE-22
CVE-2026-33242Shared CWE-22
CVE-2026-33292Shared CWE-22
CVE-2026-35605Shared CWE-22
CVE-2025-53632Shared CWE-22

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation of file paths and names supplied in uploads to /module/ai/control.php, directly blocking the directory traversal sequences used for arbitrary code execution.

prevent

Enforces access-control decisions on the unauthenticated endpoint, preventing remote attackers from reaching the vulnerable upload handler without proper authorization.

prevent

Restricts unnecessary upload or AI-module functionality, reducing the attack surface that allows crafted files to traverse directories and execute code.

References