CVE-2025-8729
Published: 08 August 2025
Summary
CVE-2025-8729 is a low-severity Path Traversal (CWE-22) vulnerability in Migoxlab Lmeterx. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 30.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-8729 is a path traversal vulnerability (CWE-22) in MigoXLab LMeterX version 1.2.0. The flaw affects the process_cert_files function in the backend/service/upload_service.py file, where manipulation of the task_id argument enables path traversal attacks.
The vulnerability is exploitable remotely (AV:N) by an attacker with low privileges (PR:L), under low attack complexity (AC:L) and without user interaction (UI:N). Exploitation in an unscoped impact scenario (S:U) can result in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L), yielding a CVSS 3.1 base score of 6.3.
Mitigation is available through GitHub commit f1b00597e293d09452aabd4fa57f3185207350e8, which security practitioners should apply to affected installations. Additional details on the issue and resolution appear in the MigoXLab/LMeterX GitHub issues and VulDB entry (ctiid.319225). The exploit has been publicly disclosed and may be in use.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-23986
Vulnerability details
A vulnerability has been found in MigoXLab LMeterX 1.2.0 and classified as critical. Affected by this vulnerability is the function process_cert_files of the file backend/service/upload_service.py. The manipulation of the argument task_id leads to path traversal. The attack can be launched…
more
remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is f1b00597e293d09452aabd4fa57f3185207350e8. It is recommended to apply a patch to fix this issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in upload_service directly enables local file read (T1005), directory traversal/discovery (T1083), and arbitrary file write via upload (T1105).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of untrusted inputs such as task_id before use in file operations, blocking the path-traversal manipulation in process_cert_files.
Mandates timely application of the vendor patch (commit f1b00597) that eliminates the path-traversal flaw in upload_service.py.
Limits the file-system privileges of the LMeterX service account so that even a successful traversal yields minimal additional access.