CVE-2025-2193
Published: 11 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-2193 is a path traversal vulnerability (CWE-22) classified as critical in MRCMS version 3.1.2. It affects the delete function in the file /admin/file/delete.do within the component org.marker.mushroom.controller.FileController, where manipulation of the path/name argument enables the issue.
The vulnerability allows remote exploitation by low-privileged users (PR:L) with low attack complexity (AC:L) and no user interaction required (UI:N). Successful attacks result in low integrity (I:L) and availability (A:L) impacts but no confidentiality loss (C:N), yielding a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L).
Advisories from VulDB indicate the vendor was contacted early about the disclosure but provided no response, with no patches mentioned. The exploit has been publicly disclosed via a GitHub issue and may be in use.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated path traversal in public-facing web app delete endpoint enables exploitation of public-facing application (T1190), exploitation for privilege escalation (T1068 via vertical escalation to admin file delete), and arbitrary file deletion (T1070.004 for indicator removal or impact).