Cyber Posture

CVE-2025-25371

HighPublic PoC

Published: 25 March 2025

Published
25 March 2025
Modified
30 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0056 68.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

Security Summary

CVE-2025-25371, published on 2025-03-25, is a path traversal vulnerability (CWE-22) affecting the OSAL module in NASA's Core Flight System (cFS) Aquila. This flaw allows attackers to override any arbitrary file on the system. It carries a CVSS v3.1 base score of 7.5, rated as high severity with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low attack complexity and without requiring user interaction. Exploitation enables the attacker to override arbitrary files on the system, leading to a high confidentiality impact.

Advisories providing further details, including potential mitigations, are available at https://visionspace.com/nasa-cfs-version-aquila-software-vulnerability-assessment/.

Details

CWE(s)
CWE-22

Affected Products

nasa
core flight system
6.7.0

MITRE ATT&CK Enterprise Techniques

T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
attack.mitre.org →
Why these techniques?

Path traversal allowing arbitrary file override directly enables stored data manipulation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References