CVE-2025-9801
Published: 01 September 2025
Summary
CVE-2025-9801 is a low-severity Path Traversal (CWE-22) vulnerability in Sim Sim. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 39.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-9801 is a path traversal vulnerability (CWE-22) in SimStudioAI's sim software, affecting commits up to ed9b9ad83f1a7c61f4392787fb51837d34eeb0af. The flaw stems from manipulation of the filePath argument in an unknown component, enabling attackers to access or manipulate files outside the intended directory. It carries a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L) and was published on 2025-09-01.
Remote exploitation is possible by low-privileged users (PR:L) over the network with low attack complexity and no user interaction. Attackers can achieve limited impacts on integrity (I:L) and availability (A:L), such as reading, writing, or deleting arbitrary files via traversed paths, while confidentiality remains unaffected.
Advisories recommend deploying the patch at commit 45372aece5e05e04b417442417416a52e90ba174 to remediate the issue. Due to the product's rolling release model, no specific version numbers are provided for affected or fixed builds. Details are available in GitHub issue #959 and related comments.
The exploit has been publicly disclosed and may be used in the wild.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-26364
Vulnerability details
A security vulnerability has been detected in SimStudioAI sim up to ed9b9ad83f1a7c61f4392787fb51837d34eeb0af. This affects an unknown part. The manipulation of the argument filePath leads to path traversal. Remote exploitation of the attack is possible. The exploit has been disclosed publicly…
more
and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The identifier of the patch is 45372aece5e05e04b417442417416a52e90ba174. To fix this issue, it is recommended to deploy a patch.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal directly enables arbitrary file read (T1005/T1083), deletion (T1070.004), and remote exploitation of a public-facing app (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of the filePath argument to reject path traversal sequences before file operations occur.
Enforces access control policy on file resources so that traversed paths outside the intended directory are denied regardless of the supplied filePath value.
Requires prompt application of the vendor patch (commit 45372ae) that eliminates the path traversal flaw in the affected code.