VDB

CVE-2025-2747

CVE-2025-2747 PUBLISHED KEV CVSS 9.300000190734863 CRITICAL

CVE-2025-2746: A remote attacker without privileges can gain administrative privileges and control admin objects by exploiting the improper authentication in the password handling of empty SHA1 usernames in the Staging Sync Server. CVE-2025-2747: A remote attacker without privileges can gain administrative privileges and control admin objects by exploiting the improper authentication in the password handling for the type “None” as defined by the Staging Sync Server. CVE-2025-2749: A remote attacker with high privileges can upload arbitrary files to any location and execute path traversal by exploiting this improper limitation of a pathname to a restricted directory vulnerability. This can allow the attacker to execute code remotely on the server side, which can lead to complete system compromise.

EPSS 91.41% · 99.7th percentile

Risk Scores

CVSS 4.0
9.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
EPSS Score
91.41%
99.7th percentile

Timeline

  • Mar 24, 2025 CVE Published
  • Mar 24, 2025 PoC Published
  • Mar 24, 2025 PoC Published
  • Mar 24, 2025 PoC Published
  • Mar 24, 2025 PoC Published
  • Mar 25, 2025 EPSS Score
  • Mar 27, 2025 PoC Published
  • Mar 27, 2025 PoC Published
  • Apr 1, 2025 PoC Published
  • Apr 3, 2025 PoC Published
  • Apr 7, 2025 EPSS Score
  • May 3, 2025 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›