CVE-2025-66744
Published: 09 January 2026
Summary
CVE-2025-66744 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
In Yonyou YonBIP v3 and earlier versions, the LoginWithV8 interface within the series data application service system contains a path traversal vulnerability tracked as CVE-2025-66744. The flaw, assigned CWE-22 and rated 7.5 under CVSS 3.1, permits unauthorized access to sensitive information stored on the system.
Remote attackers can exploit the issue over the network without authentication or user interaction, reading arbitrary files and thereby disclosing confidential data. The attack requires no privileges and targets the exposed interface directly.
Public references consist of GitHub repositories that demonstrate the path traversal technique. The associated EPSS score rose from a low baseline to a peak of 0.1048 on 2026-02-11 before receding to the current value of 0.0300, indicating that exploitation interest increased after the January 2026 disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1719
Vulnerability details
In Yonyou YonBIP v3 and before, the LoginWithV8 interface in the series data application service system is vulnerable to path traversal, allowing unauthorized access to sensitive information within the system
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing LoginWithV8 web interface directly enables remote unauthenticated file access, matching T1190 Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the path traversal flaw in the LoginWithV8 interface of Yonyou YonBIP by identifying, reporting, and correcting the specific vulnerability.
Requires validation of user-supplied path inputs to the LoginWithV8 interface, preventing traversal sequences like '../' from accessing sensitive files outside intended directories.
Enforces logical access controls on sensitive system files and resources, limiting damage from successful path traversal by restricting read permissions based on approved authorizations.