Cyber Posture

CVE-2025-8729

MediumPublic PoC

Published: 08 August 2025

Published
08 August 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0019 41.0th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-8729 is a medium-severity Path Traversal (CWE-22) vulnerability in Migoxlab Lmeterx. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 41.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 2 other techniques.
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-10 Information Input Validation
addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
attack.mitre.org →
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
attack.mitre.org →
Why these techniques?

Path traversal in upload_service directly enables local file read (T1005), directory traversal/discovery (T1083), and arbitrary file write via upload (T1105).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability has been found in MigoXLab LMeterX 1.2.0 and classified as critical. Affected by this vulnerability is the function process_cert_files of the file backend/service/upload_service.py. The manipulation of the argument task_id leads to path traversal. The attack can be launched…

more

remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is f1b00597e293d09452aabd4fa57f3185207350e8. It is recommended to apply a patch to fix this issue.

Deeper analysisAI

CVE-2025-8729 is a path traversal vulnerability (CWE-22) in MigoXLab LMeterX version 1.2.0. The flaw affects the process_cert_files function in the backend/service/upload_service.py file, where manipulation of the task_id argument enables path traversal attacks.

The vulnerability is exploitable remotely (AV:N) by an attacker with low privileges (PR:L), under low attack complexity (AC:L) and without user interaction (UI:N). Exploitation in an unscoped impact scenario (S:U) can result in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L), yielding a CVSS 3.1 base score of 6.3.

Mitigation is available through GitHub commit f1b00597e293d09452aabd4fa57f3185207350e8, which security practitioners should apply to affected installations. Additional details on the issue and resolution appear in the MigoXLab/LMeterX GitHub issues and VulDB entry (ctiid.319225). The exploit has been publicly disclosed and may be in use.

Details

CWE(s)
CWE-22

Affected Products

migoxlab
lmeterx
1.2.0

CVEs Like This One

CVE-2026-7214Shared CWE-22
CVE-2026-40876Shared CWE-22
CVE-2025-1335Shared CWE-22
CVE-2026-28793Shared CWE-22
CVE-2025-68953Shared CWE-22
CVE-2024-57784Shared CWE-22
CVE-2026-3051Shared CWE-22
CVE-2026-26960Shared CWE-22
CVE-2026-30914Shared CWE-22
CVE-2025-60946Shared CWE-22

References