Cyber Posture

CVE-2025-50857

Critical

Published: 26 February 2026

Published
26 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0117 78.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

ZenTaoPMS v18.11 through v21.6.beta is vulnerable to Directory Traversal in /module/ai/control.php. This allows attackers to execute arbitrary code via a crafted file upload

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validation of user-supplied inputs like file paths, directly preventing directory traversal in the crafted file upload to /module/ai/control.php.

SI-2 Flaw Remediation good match
prevent

Mandates timely identification, reporting, and correction of flaws, directly remediating the directory traversal vulnerability leading to arbitrary code execution.

SC-7 Boundary Protection partial match
prevent

Boundary protection with web application firewalls can inspect and block network requests containing directory traversal sequences in file uploads.

Security SummaryAI

ZenTaoPMS versions v18.11 through v21.6.beta are affected by CVE-2025-50857, a directory traversal vulnerability (CWE-22) in the /module/ai/control.php component. This flaw allows attackers to execute arbitrary code through a crafted file upload.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical. Unauthenticated remote attackers can exploit it over the network with low attack complexity and no user interaction required, achieving high-impact arbitrary code execution that compromises confidentiality, integrity, and availability.

References provided include a GitHub gist at https://gist.github.com/sorzs/c67a3dcaa9adb49266d5ff52a04d904b and a repository file at https://github.com/sorzs/test/blob/main/read_and_delete, which appear to demonstrate the vulnerability, such as through read and delete operations. No specific patch or mitigation guidance is detailed in the available information.

Details

CWE(s)
CWE-22

AI Security AnalysisAI

AI Category
Other AI Platforms
Risk Domain
N/A
OWASP Top 10 for LLMs 2025
None mapped
MITRE ATLAS Techniques
None mapped
Classification Reason
Matched keywords: ai

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability is a directory traversal in a public-facing web application (/module/ai/control.php) enabling unauthenticated remote code execution via crafted file upload, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References