Cyber Resilience

CVE-2025-58762

CriticalPublic PoC

Published: 09 September 2025

Published
09 September 2025
Modified
18 September 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0139 80.8th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-58762 is a critical-severity External Control of File Name or Path (CWE-73) vulnerability in Tautulli Tautulli. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Tautulli, a Python-based monitoring and tracking tool for Plex Media Server, contains a path traversal vulnerability in versions 2.15.3 and earlier. An authenticated administrator can abuse the pms_image_proxy endpoint by supplying a crafted img_format parameter containing directory traversal sequences, combined with control over the configured Plex Media Server URL, to write arbitrary files to the application filesystem.

An attacker with administrative access first redirects the PMS URL to a server under their control. They then issue a pms_image_proxy request that causes Tautulli to fetch attacker-supplied content and store it at a path ending in the unsanitized img_format value. The resulting file can be a Python script placed in a location reachable by the built-in Script notification agent, which the attacker subsequently triggers to achieve remote code execution on the host.

The project security advisory and associated commit indicate that the issue is resolved by upgrading to Tautulli 2.16.0. The EPSS score remains flat at 0.0139 with no observed increase after disclosure.

EU & UK References

Vulnerability details

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. In Tautulli v2.15.3 and earlier, an attacker with administrative access can use the `pms_image_proxy` endpoint to write arbitrary python scripts into the application filesystem. This leads to…

more

remote code execution when combined with the `Script` notification agent. If an attacker with administrative access changes the URL of the PMS to a server they control, they can then abuse the `pms_image_proxy` to obtain a file write into the application filesystem. This can be done by making a `pms_image_proxy` request with a URL in the `img` parameter and the desired file name in the `img_format` parameter. Tautulli then uses a hash of the desired metadata together with the `img_format` in order to construct a file path. Since the attacker controls `img_format` which occupies the end of the file path, and `img_format` is not sanitised, the attacker can then use path traversal characters to specify filename of their choosing. If the specified file does not exist, Tautaulli will then attempt to fetch the image from the configured PMS. Since the attacker controls the PMS, they can return arbitrary content in response to this request, which will then be written into the specified file. An attacker can write an arbitrary python script into a location on the application file system. The attacker can then make use of the built-in `Script` notification agent to run the local script, obtaining remote code execution on the application server. Users should upgrade to version 2.16.0 to receive a patch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

Path traversal in public pms_image_proxy endpoint enables arbitrary file write (initial access via T1190); combined with Script notification agent allows writing/executing Python payloads for RCE (T1059.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-28505Same product: Tautulli Tautulli
CVE-2025-58760Same product: Tautulli Tautulli
CVE-2025-58761Same product: Tautulli Tautulli
CVE-2026-31831Same product: Tautulli Tautulli
CVE-2026-32275Same product: Tautulli Tautulli
CVE-2026-40370Shared CWE-73
CVE-2025-10134Shared CWE-73
CVE-2025-65115Shared CWE-73
CVE-2025-65473Shared CWE-73
CVE-2025-12529Shared CWE-73

Affected Assets

tautulli
tautulli
≤ 2.16.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents path traversal exploitation by requiring validation and sanitization of the attacker-controlled img_format parameter.

prevent

Mitigates the vulnerability comprehensively by identifying, reporting, and applying the vendor-recommended patch that sanitizes img_format.

detect

Detects the arbitrary file write of malicious Python scripts through monitoring and integrity verification of application filesystem changes.

References