CVE-2025-11630
Published: 12 October 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-11630 is a path traversal vulnerability (CWE-22) affecting RainyGao DocSys versions up to 2.02.36. The issue resides in the updateRealDoc function within the /Doc/uploadDoc.do file of the File Upload component, where manipulation of the path argument enables traversal outside intended directories.
The vulnerability can be exploited remotely by an attacker with low privileges (PR:L), requiring low attack complexity (AC:L) and no user interaction (UI:N). Exploitation yields limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), with an overall CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
Advisories from VulDB indicate that the vendor was contacted early about the issue but provided no response or patches. The exploit has been publicly released and is available on GitHub, increasing the risk of immediate use by attackers.
Published on 2025-10-12, this vulnerability has a disclosed proof-of-concept exploit, though no evidence of active real-world exploitation is reported in available sources.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Path traversal vulnerability in public-facing web application upload endpoint enables exploitation of public-facing application.