Cyber Resilience

CVE-2025-70084

High

Published: 11 February 2026

Published
11 February 2026
Modified
17 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0006 19.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-70084 is a high-severity Path Traversal (CWE-22) vulnerability in Opensatkit Opensatkit. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-70084 is a directory traversal vulnerability (CWE-22) in OpenSatKit version 2.2.1. The flaw exists in the FileUtil_GetFileInfo function, which processes crafted input values that enable attackers to access sensitive information or delete arbitrary files.

Remote attackers can exploit this vulnerability without authentication or privileges, requiring only low attack complexity and no user interaction, per the CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Exploitation allows disclosure of confidential data through unauthorized file reads and potential deletion of files outside intended directories.

References provided include a GitHub Gist at https://gist.github.com/jonafk555, the OpenSatKit repository at https://github.com/OpenSatKit/OpenSatKit, the v2.2.1 release page at https://github.com/OpenSatKit/OpenSatKit/releases/tag/v2.2.1, and the relevant source code file at https://raw.githubusercontent.com/OpenSatKit/OpenSatKit/master/cfs/apps/filemgr/fsw/src/dir.c. No explicit mitigation or patch details are specified in the available information.

EU & UK References

Vulnerability details

Directory traversal vulnerability in OpenSatKit 2.2.1 allows attackers to gain access to sensitive information or delete arbitrary files via crafted value to the FileUtil_GetFileInfo function.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
Why these techniques?

Directory traversal enables remote unauthenticated arbitrary file read (T1005) and deletion (T1070.004) on a public-facing component (T1190).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-70085Same product: Opensatkit Opensatkit
CVE-2025-70083Same product: Opensatkit Opensatkit
CVE-2026-33686Shared CWE-22
CVE-2026-33493Shared CWE-22
CVE-2026-3464Shared CWE-22
CVE-2026-25069Shared CWE-22
CVE-2025-30005Shared CWE-22
CVE-2024-54291Shared CWE-22
CVE-2025-9801Shared CWE-22
CVE-2026-3666Shared CWE-22

Affected Assets

opensatkit
opensatkit
2.2.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates directory traversal by validating and sanitizing crafted file path inputs to the FileUtil_GetFileInfo function.

prevent

Enforces access control policies to block unauthorized reads or deletions of files outside intended directories despite crafted inputs.

prevent

Limits the privileges of the vulnerable OpenSatKit process to reduce the scope of files accessible or deletable via traversal.

References