CVE-2025-70028
Published: 09 March 2026
Summary
CVE-2025-70028 is a high-severity Path Traversal (CWE-22) vulnerability in Sunbird Sunbirded-Portal. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-70028 is a path traversal vulnerability (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) discovered in Sunbird-Ed SunbirdEd-portal version 1.13.4. Published on 2026-03-09, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to its potential for significant availability disruption.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and without requiring user interaction. Exploitation allows denial-of-service impacts, such as crashing services or causing resource exhaustion, while confidentiality and integrity remain unaffected due to the lack of C or I impact in the CVSS vector.
Mitigation details and advisories are referenced in the following resources: https://gist.github.com/zcxlighthouse/5efe962621a260331fc95ccbfb7f9e7f, https://github.com/Sunbird-Ed, and https://github.com/Sunbird-Ed/SunbirdEd-portal. Security practitioners should review these for patch availability or workarounds specific to the affected component.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208454
Vulnerability details
An issue pertaining to CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing portal directly enables remote exploitation (T1190) resulting in application/system DoS via exploitation (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validating information inputs at defined points, directly preventing path traversal by restricting pathnames to authorized directories.
SI-2 ensures timely flaw remediation, including patching the specific path traversal vulnerability in SunbirdEd-portal v1.13.4.
SC-5 protects against denial-of-service by monitoring and limiting resource exhaustion from path traversal exploitation.