Cyber Posture

CVE-2025-70084

High

Published: 11 February 2026

Published
11 February 2026
Modified
17 February 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0006 18.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-70084 is a high-severity Path Traversal (CWE-22) vulnerability in Opensatkit Opensatkit. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques.
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-10 Information Input Validation
addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
attack.mitre.org →
Why these techniques?

Directory traversal enables remote unauthenticated arbitrary file read (T1005) and deletion (T1070.004) on a public-facing component (T1190).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Directory traversal vulnerability in OpenSatKit 2.2.1 allows attackers to gain access to sensitive information or delete arbitrary files via crafted value to the FileUtil_GetFileInfo function.

Deeper analysisAI

CVE-2025-70084 is a directory traversal vulnerability (CWE-22) in OpenSatKit version 2.2.1. The flaw exists in the FileUtil_GetFileInfo function, which processes crafted input values that enable attackers to access sensitive information or delete arbitrary files.

Remote attackers can exploit this vulnerability without authentication or privileges, requiring only low attack complexity and no user interaction, per the CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Exploitation allows disclosure of confidential data through unauthorized file reads and potential deletion of files outside intended directories.

References provided include a GitHub Gist at https://gist.github.com/jonafk555, the OpenSatKit repository at https://github.com/OpenSatKit/OpenSatKit, the v2.2.1 release page at https://github.com/OpenSatKit/OpenSatKit/releases/tag/v2.2.1, and the relevant source code file at https://raw.githubusercontent.com/OpenSatKit/OpenSatKit/master/cfs/apps/filemgr/fsw/src/dir.c. No explicit mitigation or patch details are specified in the available information.

Details

CWE(s)
CWE-22

Affected Products

opensatkit
opensatkit
2.2.1

CVEs Like This One

CVE-2025-70085Same product: Opensatkit Opensatkit
CVE-2025-70083Same product: Opensatkit Opensatkit
CVE-2026-3464Shared CWE-22
CVE-2026-33686Shared CWE-22
CVE-2025-30005Shared CWE-22
CVE-2026-33493Shared CWE-22
CVE-2025-9801Shared CWE-22
CVE-2024-54291Shared CWE-22
CVE-2026-23536Shared CWE-22
CVE-2025-23422Shared CWE-22

References