Is there a public PoC exploit available for CVE-2025-11853?

Yes, a public proof-of-concept exploit is available for CVE-2025-11853. Prioritise patching immediately. EPSS: 0.0%.

Sismics Teedy CVE-2025-11853

Q: What is the CVSS score of CVE-2025-11853?

CVE-2025-11853 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Incorrect Privilege Assignment (CWE-266)

2025-10-16 cna@vuldb.com

Information Disclosure Teedy

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:34 vuln.today

DescriptionCVE.org

A vulnerability was determined in Sismics Teedy up to 1.11. This affects an unknown function of the file /api/file of the component API Endpoint. Executing a manipulation can lead to improper access controls. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Improper access controls in Sismics Teedy up to version 1.11 allow authenticated remote attackers to manipulate the /api/file endpoint, leading to unauthorized information disclosure. The vulnerability has publicly available exploit code and affects all versions through 1.11, though the vendor has not responded to disclosure notifications. With an EPSS score of 0.05% and low CVSS impact severity despite network accessibility, real-world exploitation appears limited to scenarios where attackers already possess valid authentication credentials.

Technical ContextAI

This vulnerability resides in the /api/file API endpoint of Sismics Teedy, a document management system. The root cause is classified as CWE-266: Improper Privilege Management, indicating that the endpoint fails to properly enforce access control checks when processing file-related API requests. The attack vector is network-based, and while low complexity, it requires prior authentication (PR:L in CVSS v4.0), meaning an attacker must possess valid user credentials to exploit the flaw. The vulnerability allows manipulation of file access logic, resulting in unauthorized access to information that should be restricted to other users or roles.

RemediationAI

Upgrade Sismics Teedy to a version newer than 1.11 immediately if available from the vendor. No vendor advisory or patched version number was identified in available sources, and the vendor has not responded to disclosure notifications, making formal patch release status uncertain. As a compensating control pending vendor action, restrict API access to the /api/file endpoint via network segmentation or WAF rules to users who require file access only, and monitor API logs for suspicious file manipulation requests from authenticated accounts. Additionally, conduct access control reviews within Teedy to ensure role-based access controls (RBAC) are properly configured and prevent users from accessing files belonging to other users or restricted document sets. If upgrades are not immediately possible, disable or restrict access to the /api/file endpoint entirely until a fix is deployed.

CVE-2025-11853 vulnerability details – vuln.today

Back