CVE-2025-58762
Published: 09 September 2025
Summary
CVE-2025-58762 is a critical-severity External Control of File Name or Path (CWE-73) vulnerability in Tautulli Tautulli. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Tautulli, a Python-based monitoring and tracking tool for Plex Media Server, contains a path traversal vulnerability in versions 2.15.3 and earlier. An authenticated administrator can abuse the pms_image_proxy endpoint by supplying a crafted img_format parameter containing directory traversal sequences, combined with control over the configured Plex Media Server URL, to write arbitrary files to the application filesystem.
An attacker with administrative access first redirects the PMS URL to a server under their control. They then issue a pms_image_proxy request that causes Tautulli to fetch attacker-supplied content and store it at a path ending in the unsanitized img_format value. The resulting file can be a Python script placed in a location reachable by the built-in Script notification agent, which the attacker subsequently triggers to achieve remote code execution on the host.
The project security advisory and associated commit indicate that the issue is resolved by upgrading to Tautulli 2.16.0. The EPSS score remains flat at 0.0139 with no observed increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-27467
Vulnerability details
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. In Tautulli v2.15.3 and earlier, an attacker with administrative access can use the `pms_image_proxy` endpoint to write arbitrary python scripts into the application filesystem. This leads to…
more
remote code execution when combined with the `Script` notification agent. If an attacker with administrative access changes the URL of the PMS to a server they control, they can then abuse the `pms_image_proxy` to obtain a file write into the application filesystem. This can be done by making a `pms_image_proxy` request with a URL in the `img` parameter and the desired file name in the `img_format` parameter. Tautulli then uses a hash of the desired metadata together with the `img_format` in order to construct a file path. Since the attacker controls `img_format` which occupies the end of the file path, and `img_format` is not sanitised, the attacker can then use path traversal characters to specify filename of their choosing. If the specified file does not exist, Tautaulli will then attempt to fetch the image from the configured PMS. Since the attacker controls the PMS, they can return arbitrary content in response to this request, which will then be written into the specified file. An attacker can write an arbitrary python script into a location on the application file system. The attacker can then make use of the built-in `Script` notification agent to run the local script, obtaining remote code execution on the application server. Users should upgrade to version 2.16.0 to receive a patch.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public pms_image_proxy endpoint enables arbitrary file write (initial access via T1190); combined with Script notification agent allows writing/executing Python payloads for RCE (T1059.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents path traversal exploitation by requiring validation and sanitization of the attacker-controlled img_format parameter.
Mitigates the vulnerability comprehensively by identifying, reporting, and applying the vendor-recommended patch that sanitizes img_format.
Detects the arbitrary file write of malicious Python scripts through monitoring and integrity verification of application filesystem changes.