CVE-2025-8815
Published: 10 August 2025
Summary
CVE-2025-8815 is a medium-severity Path Traversal (CWE-22) vulnerability in Morning-Pro Morning. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).
Deeper analysis
A vulnerability identified as CVE-2025-8815 exists in 猫宁i Morning up to commit bc782730c74ff080494f145cc363a0b4f43f7d3e and has been rated with a CVSS score of 5.5. It is a path traversal flaw (CWE-22) located in an unknown function of the /index file within the Shiro Configuration component. The product follows a rolling release model, so no specific affected or fixed versions are listed.
The issue can be triggered remotely without authentication or user interaction. An attacker supplying crafted input may read or modify files outside intended directories, resulting in limited impacts to confidentiality, integrity, and availability.
The exploit has been made public via Gitee issue tracking and Vuldb entries, though the current EPSS score remains flat at 0.0150 with no observed increase after disclosure. No mitigation details or patch information appear in the available references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-24097
Vulnerability details
A vulnerability was found in 猫宁i Morning up to bc782730c74ff080494f145cc363a0b4f43f7d3e. It has been classified as critical. Affected is an unknown function of the file /index of the component Shiro Configuration. The manipulation leads to path traversal. It is possible to…
more
launch the attack remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthenticated exploitation of a public-facing web application through Shiro path traversal for authentication bypass combined with unsafe Fastjson deserialization (T1190), directly facilitating remote command execution via system interpreters (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted inputs to the /index endpoint, blocking the path traversal sequences that enable the CVE-2025-8815 attack.
Enforces access-control decisions on file-system resources so that even a successful traversal cannot obtain unauthorized read/write access to protected paths.
Mediates information flow between the Shiro-configured web layer and the underlying file system, preventing unauthorized traversal-based data exfiltration or modification.