Cyber Posture

CVE-2025-63414

CriticalPublic PoC

Published: 16 December 2025

Published
16 December 2025
Modified
31 December 2025
KEV Added
Patch
CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0238 85.1th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Description

A Path Traversal vulnerability in the Allsky WebUI version v2024.12.06_06 allows an unauthenticated remote attacker to achieve arbitrary command execution. By sending a crafted HTTP request to the /html/execute.php endpoint with a malicious payload in the id parameter, an attacker…

more

can execute arbitrary commands on the underlying operating system, leading to full remote code execution (RCE).

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 requires validation of information inputs such as the 'id' parameter to block path traversal and command injection in the /html/execute.php endpoint.

SI-2 Flaw Remediation good match
prevent

SI-2 mandates timely identification, testing, and correction of flaws like the path traversal vulnerability in Allsky WebUI v2024.12.06_06.

SC-7 Boundary Protection partial match
prevent

SC-7 enforces boundary protection to monitor and control HTTP requests, enabling web application firewalls to block crafted payloads exploiting the unauthenticated RCE.

Security SummaryAI

CVE-2025-63414 is a Path Traversal vulnerability (CWE-22) in the Allsky WebUI version v2024.12.06_06 that enables arbitrary command injection (CWE-78). The flaw resides in the /html/execute.php endpoint, where insufficient validation of the 'id' parameter allows attackers to traverse paths and execute OS commands. Published on 2025-12-16, it carries a maximum CVSS v3.1 score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), marking it as critically severe due to its network accessibility, low complexity, lack of privileges or user interaction required, and high impact across confidentiality, integrity, and availability with scope expansion.

An unauthenticated remote attacker can exploit this vulnerability by sending a crafted HTTP request to the /html/execute.php endpoint with a malicious payload in the 'id' parameter. Successful exploitation leads to full remote code execution (RCE) on the underlying operating system, potentially granting complete control over the affected Allsky WebUI instance.

References include a detailed advisory at https://gh0stmezh.wordpress.com/2025/12/02/cve-2025-63414/, the Allsky GitHub repository at https://github.com/AllskyTeam/allsky, and the vulnerable source file at https://github.com/AllskyTeam/allsky/blob/master/html/execute.php. Security practitioners should review these for patch details, updates, or mitigation guidance directly from the vendor or researchers.

Details

CWE(s)
CWE-22CWE-78

Affected Products

allskyteam
allsky
2024.12.06_06

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

T1190 for unauthenticated RCE via public-facing web application endpoint; T1059.004 as the path traversal enables arbitrary OS command injection on likely Unix/Linux system.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References