CVE-2025-0525

High

Published: 11 February 2025

Published

11 February 2025

Modified

02 July 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0024 47.6th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

In affected versions of Octopus Server the preview import feature could be leveraged to identify the existence of a target file. This could provide an adversary with information that may aid in further attacks against the server.

Security Summary

CVE-2025-0525 is an information disclosure vulnerability in affected versions of Octopus Server, where the preview import feature can be abused to detect the existence of a target file on the server. This issue, classified under CWE-200, enables adversaries to gather sensitive reconnaissance data. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and was published on 2025-02-11T10:15:09.490.

Unauthenticated attackers with network access to the Octopus Server can exploit this vulnerability remotely with low complexity and no user interaction. Exploitation confirms the presence or absence of specific files, yielding information that may assist in planning further attacks against the server, though it does not directly enable data modification, execution, or denial of service.

The official advisory provides details on mitigation and patching; refer to https://advisories.octopus.com/post/2024/sa2025-02/ for affected versions, patch information, and recommended actions.

Details

CWE(s): CWE-200

Affected Products

octopus

octopus server

2020.6.4592 — 2024.3.13007 · 2024.4.401 — 2024.4.6995

References

https://advisories.octopus.com/post/2024/sa2025-02/
Broken Link · security@octopus.com