CVE-2025-51651
Published: 14 July 2025
Summary
CVE-2025-51651 is a medium-severity Use of HTTP Request With Sensitive Query String (CWE-598) vulnerability in Chshcms Mccms. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 40.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21373
Vulnerability details
An authenticated arbitrary file download vulnerability in the component /admin/Backups.php of Mccms v2.7.0 allows attackers to download arbitrary files via a crafted GET request.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The authenticated arbitrary file download vulnerability enables adversaries to collect data from the local file system of the web server (T1005) and extract unsecured credentials stored in files (T1552.001).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Protects sensitive data placed in query strings from interception in transit when confidentiality controls like HTTPS are enforced.