CVE-2025-69194

High

Published: 09 January 2026

Published

09 January 2026

Modified

05 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0003 7.7th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-69194 is a high-severity Path Traversal (CWE-22) vulnerability in Gnu Wget2. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Stored Data Manipulation (T1565.001); ranked at the 7.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Stored Data Manipulation (T1565.001) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of file paths in Metalink documents to block path traversal exploits in GNU Wget2.

SI-2 Flaw Remediation good match

prevent

Mandates timely remediation of the path validation flaw in Wget2 via patching as described in vendor advisories.

AC-6 Least Privilege partial match

prevent

Limits damage from arbitrary file writes by enforcing least privilege on processes executing Wget2, restricting access to sensitive locations.

MITRE ATT&CK Enterprise TechniquesAI

T1565.001 Stored Data Manipulation Impact

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

T1485 Data Destruction Impact

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.

attack.mitre.org →

Why these techniques?

Path traversal enables arbitrary writes to any filesystem location, directly facilitating stored data manipulation or targeted destruction/overwrites.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

A security issue was discovered in GNU Wget2 when handling Metalink documents. The application fails to properly validate file paths provided in Metalink <file name> elements. An attacker can abuse this behavior to write files to unintended locations on the…

system. This can lead to data loss or potentially allow further compromise of the user’s environment.

Deeper analysisAI

CVE-2025-69194 is a path traversal vulnerability (CWE-22) in GNU Wget2 when processing Metalink documents. The application fails to properly validate file paths specified in Metalink <file name> elements, enabling arbitrary file writes to unintended locations on the filesystem. Published on 2026-01-09, this issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for confidentiality, integrity, and availability impacts.

A remote attacker without privileges can exploit this by tricking a user into using Wget2 to download or process a maliciously crafted Metalink document, which requires user interaction such as clicking a link or running a command. Upon processing, the invalid paths allow the attacker to overwrite or create files outside the intended download directory, resulting in data loss or enabling further system compromise depending on the targeted locations and permissions.

Mitigation details are provided in the referenced Red Hat security advisory at https://access.redhat.com/security/cve/CVE-2025-69194 and Bugzilla entry at https://bugzilla.redhat.com/show_bug.cgi?id=2425773. Security practitioners should consult these for patch availability, version-specific guidance, and any recommended workarounds.