CVE-2025-27590
Published: 03 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-27590 affects oxidized-web (also known as Oxidized Web) versions prior to 0.15.0, a web interface for the Oxidized network configuration backup tool. The vulnerability resides in the RANCID migration page, which enables an unauthenticated user to gain control over the Linux user account running the oxidized-web process. It has been assigned a CVSS v3.1 base score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) and is associated with CWE-22 (Path Traversal), as indicated by NVD-CWE-noinfo. The issue was published on 2025-03-03.
An attacker can exploit this vulnerability remotely over the network without authentication or user interaction, though it requires high attack complexity. Successful exploitation grants the attacker control over the underlying Linux user account executing oxidized-web, potentially leading to high-impact confidentiality, integrity, and availability violations with a changed scope, such as arbitrary code execution or privilege escalation within the application's context.
Mitigation is available via the oxidized-web release 0.15.0, which addresses the flaw as detailed in the associated GitHub commit a5220a0ddc57b85cd122bffee228d3ed4901668e. Security practitioners should upgrade to version 0.15.0 or later to remediate the vulnerability.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The unauthenticated remote path traversal in the public-facing oxidized-web interface directly enables T1190 (Exploit Public-Facing Application) and facilitates T1068 (Exploitation for Privilege Escalation) by granting control over the Linux user account running the process, including arbitrary code execution.