Login Sign Up

CVE-2025-6776

7.3 HIGH
Path Traversal

📋 TL;DR

This critical vulnerability in xiaoyunjie openvpn-cms-flask allows remote attackers to perform path traversal attacks via the image upload function. Attackers can write arbitrary files to unintended locations on the server, potentially leading to remote code execution. All systems running openvpn-cms-flask versions up to 1.2.7 are affected.

💻 Affected Systems

Products:
  • xiaoyunjie openvpn-cms-flask
Versions: up to 1.2.7
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the file upload component in app/plugins/oss/app/controller.py

📦 What is this software?

Openvpn Cms Flask by Xiaoyunjie

View all CVEs affecting Openvpn Cms Flask →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Arbitrary file upload leading to web shell deployment, data manipulation, or denial of service.

🟢

If Mitigated

Limited impact with proper file upload restrictions and web application firewalls in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit has been publicly disclosed and requires file upload access

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.8

Vendor Advisory: https://github.com/xiaoyunjie/openvpn-cms-flask/releases/tag/v1.2.8

Restart Required: Yes

Instructions:

1. Backup current configuration and data. 2. Stop the openvpn-cms-flask service. 3. Upgrade to version 1.2.8 using pip: 'pip install openvpn-cms-flask==1.2.8'. 4. Restart the service.

🔧 Temporary Workarounds

Disable file upload functionality

all

Temporarily disable the vulnerable file upload endpoint

Modify app/plugins/oss/app/controller.py to comment out or remove the Upload function

Implement WAF rules

all

Add web application firewall rules to block path traversal attempts

Add WAF rule to block requests containing '../' or similar path traversal patterns in file upload parameters

🧯 If You Can't Patch

  • Implement strict file upload validation including file type checking and path sanitization
  • Deploy network segmentation to isolate the vulnerable system from critical assets

🔍 How to Verify

Check if Vulnerable:

Check the version of openvpn-cms-flask installed: 'pip show openvpn-cms-flask' and verify if version is <=1.2.7

Check Version:

pip show openvpn-cms-flask | grep Version

Verify Fix Applied:

Verify installation of version 1.2.8: 'pip show openvpn-cms-flask | grep Version' should show 1.2.8

📡 Detection & Monitoring

Log Indicators:

  • Unusual file upload attempts with path traversal patterns (../, ..\)
  • File writes to unexpected directories
  • Multiple failed upload attempts

Network Indicators:

  • HTTP POST requests to /upload endpoints containing path traversal sequences
  • Unusual outbound connections from the server after file uploads

SIEM Query:

source="web_logs" AND (uri_path="/upload" OR uri_path="/api/upload") AND (request_body CONTAINS "../" OR request_body CONTAINS "..\")

📊 Metadata

CVE ID: CVE-2025-6776
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-22
EPSS Score: 0.29% exploit probability (52.3th percentile)
Published: June 27, 2025
Last Updated: January 30, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-6776, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)