Skip to main content

CVE-2025-27025

| EUVDEUVD-2025-19706 HIGH
Improper Handling of Insufficient Permissions or Privileges (CWE-280)
2025-07-02 a6d3dc9e-0591-4a13-bce7-0f5b31ff6158
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:35 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
7.1
EUVD ID Assigned
Mar 16, 2026 - 01:55 euvd
EUVD-2025-19706
Analysis Generated
Mar 16, 2026 - 01:55 vuln.today
CVE Published
Jul 02, 2025 - 10:15 nvd
HIGH 8.8

DescriptionCVE.org

The target device exposes a service on a specific TCP port with a configured endpoint. The access to that endpoint is granted using a Basic Authentication method. The endpoint accepts also the PUT method and it is possible to write files on the target device file system. Files are written as root. Using Postman it is possible to perform a Directory Traversal attack and write files into any location of the device file system. Similarly to the PUT method, it is possible to leverage the same mechanism to read any file from the file system by using the GET method.

Analysis

The target device exposes a service on a specific TCP port with a configured endpoint. The access to that endpoint is granted using a Basic Authentication method. The endpoint accepts also the PUT method and it is possible to write files on the target device file system. Files are written as root. Using Postman it is possible to perform a Directory Traversal attack and write files into any location of the device file system. Similarly to the PUT method, it is possible to leverage the same mechanism to read any file from the file system by using the GET method.

Technical ContextAI

Path traversal allows an attacker to access files outside the intended directory by manipulating file paths with sequences like '../'.

RemediationAI

Validate and sanitize file path inputs. Use a whitelist of allowed files or directories. Implement chroot jails or containerization.

Share

CVE-2025-27025 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy