CVE-2025-25759

High

Published: 27 February 2025

Published

27 February 2025

Modified

09 April 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Score 0.0077 73.7th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

An issue in the component admin_template.php of SUCMS v1.0 allows attackers to execute a directory traversal and arbitrary file deletion via a crafted GET request.

Security Summary

CVE-2025-25759 is a vulnerability in the admin_template.php component of SUCMS version 1.0. It enables directory traversal and arbitrary file deletion through a crafted GET request. The issue is linked to CWE-22 (path traversal) and CWE-552 (files or directories accessible to external parties), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating high severity due to its integrity impact.

Remote unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows deletion of arbitrary files on the affected system, potentially disrupting operations by removing critical files without affecting confidentiality or availability directly.

Mitigation details are available in the referenced advisory at https://github.com/147536951/Qianyi-learn/blob/main/SUCMS.pdf, published on 2025-02-27.

Details

CWE(s): CWE-22CWE-552

Affected Products

sucms project

sucms

1.0

References

https://github.com/147536951/Qianyi-learn/blob/main/SUCMS.pdf
Broken Link · cve@mitre.org