Cyber Resilience

CVE-2025-8729

LowPublic PoC

Published: 08 August 2025

Published
08 August 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0060 69.8th percentile
Risk Priority 5 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-8729 is a low-severity Path Traversal (CWE-22) vulnerability in Migoxlab Lmeterx. Its CVSS base score is 2.1 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 30.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-8729 is a path traversal vulnerability (CWE-22) in MigoXLab LMeterX version 1.2.0. The flaw affects the process_cert_files function in the backend/service/upload_service.py file, where manipulation of the task_id argument enables path traversal attacks.

The vulnerability is exploitable remotely (AV:N) by an attacker with low privileges (PR:L), under low attack complexity (AC:L) and without user interaction (UI:N). Exploitation in an unscoped impact scenario (S:U) can result in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L), yielding a CVSS 3.1 base score of 6.3.

Mitigation is available through GitHub commit f1b00597e293d09452aabd4fa57f3185207350e8, which security practitioners should apply to affected installations. Additional details on the issue and resolution appear in the MigoXLab/LMeterX GitHub issues and VulDB entry (ctiid.319225). The exploit has been publicly disclosed and may be in use.

EU & UK References

Vulnerability details

A vulnerability has been found in MigoXLab LMeterX 1.2.0 and classified as critical. Affected by this vulnerability is the function process_cert_files of the file backend/service/upload_service.py. The manipulation of the argument task_id leads to path traversal. The attack can be launched…

more

remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is f1b00597e293d09452aabd4fa57f3185207350e8. It is recommended to apply a patch to fix this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
Why these techniques?

Path traversal in upload_service directly enables local file read (T1005), directory traversal/discovery (T1083), and arbitrary file write via upload (T1105).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-7214Shared CWE-22
CVE-2026-40876Shared CWE-22
CVE-2021-47849Shared CWE-22
CVE-2024-57784Shared CWE-22
CVE-2026-28793Shared CWE-22
CVE-2025-1335Shared CWE-22
CVE-2025-68953Shared CWE-22
CVE-2026-44973Shared CWE-22
CVE-2026-34911Shared CWE-22
CVE-2026-41589Shared CWE-22

Affected Assets

migoxlab
lmeterx
1.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted inputs such as task_id before use in file operations, blocking the path-traversal manipulation in process_cert_files.

prevent

Mandates timely application of the vendor patch (commit f1b00597) that eliminates the path-traversal flaw in upload_service.py.

prevent

Limits the file-system privileges of the LMeterX service account so that even a successful traversal yields minimal additional access.

References