CVE-2025-9801

MediumPublic PoC

Published: 01 September 2025

Published

01 September 2025

Modified

29 April 2026

KEV Added

—

Patch

—

CVSS Score 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

EPSS Score 0.0012 30.0th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9801 is a medium-severity Path Traversal (CWE-22) vulnerability in Sim Sim. Its CVSS base score is 5.4 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 30.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 3 other techniques.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-10 Information Input Validation

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1083 File and Directory Discovery Discovery

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.

attack.mitre.org →

T1070.004 File Deletion Stealth

Adversaries may delete files left behind by the actions of their intrusion activity.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Path traversal directly enables arbitrary file read (T1005/T1083), deletion (T1070.004), and remote exploitation of a public-facing app (T1190).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

A security vulnerability has been detected in SimStudioAI sim up to ed9b9ad83f1a7c61f4392787fb51837d34eeb0af. This affects an unknown part. The manipulation of the argument filePath leads to path traversal. Remote exploitation of the attack is possible. The exploit has been disclosed publicly…

and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The identifier of the patch is 45372aece5e05e04b417442417416a52e90ba174. To fix this issue, it is recommended to deploy a patch.

Deeper analysisAI

CVE-2025-9801 is a path traversal vulnerability (CWE-22) in SimStudioAI's sim software, affecting commits up to ed9b9ad83f1a7c61f4392787fb51837d34eeb0af. The flaw stems from manipulation of the filePath argument in an unknown component, enabling attackers to access or manipulate files outside the intended directory. It carries a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L) and was published on 2025-09-01.

Remote exploitation is possible by low-privileged users (PR:L) over the network with low attack complexity and no user interaction. Attackers can achieve limited impacts on integrity (I:L) and availability (A:L), such as reading, writing, or deleting arbitrary files via traversed paths, while confidentiality remains unaffected.

Advisories recommend deploying the patch at commit 45372aece5e05e04b417442417416a52e90ba174 to remediate the issue. Due to the product's rolling release model, no specific version numbers are provided for affected or fixed builds. Details are available in GitHub issue #959 and related comments.

The exploit has been publicly disclosed and may be used in the wild.