CVE-2025-63414
Published: 16 December 2025
Summary
CVE-2025-63414 is a critical-severity Path Traversal (CWE-22) vulnerability in Allskyteam Allsky. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation of information inputs such as the 'id' parameter to block path traversal and command injection in the /html/execute.php endpoint.
SI-2 mandates timely identification, testing, and correction of flaws like the path traversal vulnerability in Allsky WebUI v2024.12.06_06.
SC-7 enforces boundary protection to monitor and control HTTP requests, enabling web application firewalls to block crafted payloads exploiting the unauthenticated RCE.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
T1190 for unauthenticated RCE via public-facing web application endpoint; T1059.004 as the path traversal enables arbitrary OS command injection on likely Unix/Linux system.
NVD Description
A Path Traversal vulnerability in the Allsky WebUI version v2024.12.06_06 allows an unauthenticated remote attacker to achieve arbitrary command execution. By sending a crafted HTTP request to the /html/execute.php endpoint with a malicious payload in the id parameter, an attacker…
more
can execute arbitrary commands on the underlying operating system, leading to full remote code execution (RCE).
Deeper analysisAI
CVE-2025-63414 is a Path Traversal vulnerability (CWE-22) in the Allsky WebUI version v2024.12.06_06 that enables arbitrary command injection (CWE-78). The flaw resides in the /html/execute.php endpoint, where insufficient validation of the 'id' parameter allows attackers to traverse paths and execute OS commands. Published on 2025-12-16, it carries a maximum CVSS v3.1 score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), marking it as critically severe due to its network accessibility, low complexity, lack of privileges or user interaction required, and high impact across confidentiality, integrity, and availability with scope expansion.
An unauthenticated remote attacker can exploit this vulnerability by sending a crafted HTTP request to the /html/execute.php endpoint with a malicious payload in the 'id' parameter. Successful exploitation leads to full remote code execution (RCE) on the underlying operating system, potentially granting complete control over the affected Allsky WebUI instance.
References include a detailed advisory at https://gh0stmezh.wordpress.com/2025/12/02/cve-2025-63414/, the Allsky GitHub repository at https://github.com/AllskyTeam/allsky, and the vulnerable source file at https://github.com/AllskyTeam/allsky/blob/master/html/execute.php. Security practitioners should review these for patch details, updates, or mitigation guidance directly from the vendor or researchers.
Details
- CWE(s)