CVE-2025-34076

MEDIUM EPSS 67.2%
Published Jul 2, 202512mo ago · Modified Jun 17, 20261w ago
6.1 CVSS 4.0
Medium
Find Similar
Published Jul 2, 2025 12mo ago
Last Modified Jun 17, 2026 1w ago

Description

An authenticated local file inclusion vulnerability exists in Microweber CMS versions <= 1.2.11 through misuse of the backup management API. Authenticated users can abuse the /api/BackupV2/upload and /api/BackupV2/download endpoints to read arbitrary files from the underlying filesystem. By specifying an absolute file path in the src parameter of the upload request, the server may relocate or delete the target file depending on the web service user’s privileges. The corresponding download endpoint can then be used to retrieve the file contents, effectively enabling local file disclosure. This behavior stems from insufficient validation of user-supplied paths and inadequate restrictions on file access and backup logic.

CVSS Details

Base Score
6.1
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
67.2% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-22 Path Traversal Resource Mgmt

Affected Products 1

VendorProductVersionRange
microwebermicroweber* ≤1.2.11

References 6

  • github.com https://github.com/microweber/microweber
    Product
  • github.com https://github.com/microweber/microweber/commit/572bdc36b5b47923790016f6b961c8df53226855
    Patch
  • github.com https://github.com/microweber/microweber/commit/98d025467128ecc24195dcb56c533febc3c91af6
    Patch
  • huntr.com https://huntr.com/bounties/09218d3f-1f6a-48ae-981c-85e86ad5ed8b
    ExploitThird Party Advisory
  • raw.githubusercontent.com https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/gather/microweber_lfi.rb
    Exploit
  • vulncheck.com https://vulncheck.com/advisories/microweber-cms-lfi
    Third Party Advisory

Remediation

  • github.com https://github.com/microweber/microweber/commit/572bdc36b5b47923790016f6b961c8df53226855
    Patch
  • github.com https://github.com/microweber/microweber/commit/98d025467128ecc24195dcb56c533febc3c91af6
    Patch