Cyber Resilience

CVE-2025-60915

High

Published: 24 November 2025

Published
24 November 2025
Modified
28 November 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0012 30.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-60915 is a high-severity Path Traversal (CWE-22) vulnerability in Craws Openatlas. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-60915 is a path traversal vulnerability (CWE-22) affecting the size query parameter in the /views/file.py endpoint of the Austrian Archaeological Institute's Openatlas software in versions before v8.12.0. Published on 2025-11-24, it enables attackers to traverse directory paths through a crafted HTTP request, earning a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

An attacker with low privileges (PR:L), such as an authenticated user, can exploit this remotely over the network with low complexity and no user interaction required. Exploitation allows high confidentiality and integrity impacts, potentially enabling unauthorized access to sensitive files, including local file inclusion for exfiltrating configuration data.

Advisories recommend upgrading to Openatlas v8.12.0 or later to mitigate the issue. Further details on the vulnerability, including proof-of-concept exploitation, are documented at https://www.sec4you-pentest.com/schwachstelle/openatlas-schwachstelle-lfi-konfigurationsdatei-exfiltration/ and https://www.sec4you-pentest.com/schwachstellen/.

EU & UK References

Vulnerability details

An issue in the size query parameter (/views/file.py) of Austrian Archaeological Institute Openatlas before v8.12.0 allows attackers to execute a path traversal via a crafted request.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Path traversal vulnerability in public-facing web application endpoint (/views/file.py) enables remote exploitation by low-privileged authenticated users to access and exfiltrate sensitive local files including configuration data, directly mapping to Exploit Public-Facing Application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-51534Same product: Craws Openatlas
CVE-2025-51536Same product: Craws Openatlas
CVE-2025-64075Shared CWE-22
CVE-2024-53537Shared CWE-22
CVE-2024-36512Shared CWE-22
CVE-2025-0493Shared CWE-22
CVE-2025-70231Shared CWE-22
CVE-2026-43888Shared CWE-22
CVE-2025-15031Shared CWE-22
CVE-2026-25785Shared CWE-22

Affected Assets

craws
openatlas
≤ 8.12.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses path traversal by requiring validation of the size query parameter in /views/file.py to detect and block malicious directory traversal inputs.

prevent

Mandates timely remediation of the specific flaw in Openatlas versions before v8.12.0 by patching or upgrading to the fixed version.

prevent

Boundary protection at web interfaces can filter crafted HTTP requests containing path traversal sequences before they reach the vulnerable endpoint.

References