CVE-2025-14520 – This CVE describes a path traversal vulnerabili... (How to Fix)

Q: What is the severity of CVE-2025-14520?

CVE-2025-14520 has a CVSS score of 5.4 (MEDIUM). This CVE describes a path traversal vulnerability in baowzh hfly's admin interface that allows remote attackers to delete arbitrary files by manipulating the filename parameter. The vulnerability affects all versions up to commit 638ff9abe9078bc977c132b37acbe1900b63491c. Systems with the vulnerable /admin/index.php/datafile/delfile endpoint exposed are at risk.

📋 TL;DR

This CVE describes a path traversal vulnerability in baowzh hfly's admin interface that allows remote attackers to delete arbitrary files by manipulating the filename parameter. The vulnerability affects all versions up to commit 638ff9abe9078bc977c132b37acbe1900b63491c. Systems with the vulnerable /admin/index.php/datafile/delfile endpoint exposed are at risk.

💻 Affected Systems

Products:

baowzh hfly

Versions: All versions up to commit 638ff9abe9078bc977c132b37acbe1900b63491c

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the /admin/index.php/datafile/delfile endpoint to be accessible. The vendor uses rolling releases but hasn't responded to disclosure.

📦 What is this software?

Hfly by Baowzh

View all CVEs affecting Hfly →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through deletion of critical system files, configuration files, or web application files leading to denial of service or privilege escalation.

🟠

Likely Case

Unauthorized deletion of web application files, configuration files, or user data leading to service disruption, data loss, or defacement.

🟢

If Mitigated

Limited impact if proper file permissions, input validation, and access controls prevent exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details are publicly available on GitHub. Attack requires access to the admin interface but path traversal is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider workarounds or migrating to alternative software.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize filename parameter and prevent path traversal sequences

Modify /admin/index.php/datafile/delfile to validate filename parameter using realpath() and basename() functions

Access Restriction

all

Restrict access to the vulnerable endpoint using web server rules or authentication

Add .htaccess rules to restrict access to /admin/index.php/datafile/delfile or implement additional authentication checks

🧯 If You Can't Patch

Implement network segmentation to isolate the vulnerable system and restrict access to admin interface
Deploy web application firewall (WAF) with path traversal protection rules

🔍 How to Verify

Check if Vulnerable:

Check if /admin/index.php/datafile/delfile exists and accepts filename parameter. Test with path traversal payloads like '../../etc/passwd'

Check Version:

Check git commit hash: git log --oneline -1

Verify Fix Applied:

Test that path traversal attempts are blocked and only valid filenames within intended directory are accepted

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /admin/index.php/datafile/delfile with suspicious filename parameters containing '../' sequences
File deletion events in unexpected directories

Network Indicators:

HTTP POST/GET requests to vulnerable endpoint with path traversal patterns

SIEM Query:

source="web_logs" AND uri="/admin/index.php/datafile/delfile" AND (filename="*../*" OR filename="*..\\*")

📊 Metadata

CVE ID: CVE-2025-14520

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

CWE: CWE-22

EPSS Score: 0.12% exploit probability (31th percentile)

Published: December 11, 2025

Last Updated: January 9, 2026

🔗 References

https://github.com/Xor-Gerke/webray.com.cn/blob/main/cve/PHP-based%20travel%20website-CMS/PHP-based%20travel%20website-CMS%20delfile%20filename%20Arbitrary%20file%20delete.md Broken Link
https://vuldb.com/?ctiid.335858 Permissions Required,VDB Entry
https://vuldb.com/?id.335858 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.702948 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14520, you might also want to check these: