CVE-2025-14520

Medium

Published: 11 December 2025

Published

11 December 2025

Modified

29 April 2026

KEV Added

—

Patch

—

CVSS Score 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

EPSS Score 0.0016 36.6th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Description

A weakness has been identified in baowzh hfly up to 638ff9abe9078bc977c132b37acbe1900b63491c. Impacted is an unknown function of the file /admin/index.php/datafile/delfile. This manipulation of the argument filename causes path traversal. The attack is possible to be carried out remotely. The exploit…

has been made available to the public and could be exploited. This product adopts a rolling release strategy to maintain continuous delivery The vendor was contacted early about this disclosure but did not respond in any way.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates path traversal by requiring validation of the filename argument to block directory traversal sequences like '../'.

SI-2 Flaw Remediation good match

prevent

Requires timely flaw remediation through patching or updating the vulnerable baowzh hfly CMS beyond the affected commit.

AC-6 Least Privilege partial match

prevent

Limits exploitation impact by enforcing least privilege on low-privileged users, restricting access to arbitrary files for deletion.

Security SummaryAI

CVE-2025-14520 is a path traversal vulnerability (CWE-22) affecting the baowzh hfly PHP-based travel website CMS up to commit 638ff9abe9078bc977c132b37acbe1900b63491c. The issue resides in an unknown function within the file /admin/index.php/datafile/delfile, where manipulation of the filename argument enables attackers to traverse directories and perform arbitrary file deletion. The vulnerability carries a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L) and was published on 2025-12-11.

The vulnerability can be exploited remotely by low-privileged users, such as authenticated administrators, with low attack complexity and no user interaction required. Successful exploitation allows deletion of arbitrary files on the server, resulting in low impacts to integrity and availability but no confidentiality loss.

Advisories from VulDB and a related GitHub entry detail the vulnerability but note no vendor response despite early contact; the product uses a rolling release strategy for updates. No patches or specific mitigations are mentioned, implying practitioners should monitor for newer commits beyond 638ff9abe9078bc977c132b37acbe1900b63491c.

An exploit is publicly available, increasing the risk of active exploitation in the wild.

Details

CWE(s): CWE-22

Affected Products

baowzh

hfly

≤ 2016-05-11

MITRE ATT&CK Enterprise TechniquesAI

T1070.004 File Deletion Stealth

Adversaries may delete files left behind by the actions of their intrusion activity.

attack.mitre.org →

Why these techniques?

Path traversal enables arbitrary file deletion, directly facilitating T1070.004 (Indicator Removal: File Deletion) for evasion and T1107 (File Deletion) for service disruption and impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Xor-Gerke/webray.com.cn/blob/main/cve/PHP-based%20travel%20website-CMS/PHP-based%20travel%20website-CMS%20delfile%20filename%20Arbitrary%20file%20delete.md
Broken Link · cna@vuldb.com
https://vuldb.com/?ctiid.335858
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.335858
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.702948
Third Party Advisory, VDB Entry · cna@vuldb.com