VDB

CVE-2025-2749

CVE-2025-2749 PUBLISHED KEV CVSS 9.300000190734863 CRITICAL

CVE-2025-2746: A remote attacker without privileges can gain administrative privileges and control admin objects by exploiting the improper authentication in the password handling of empty SHA1 usernames in the Staging Sync Server. CVE-2025-2747: A remote attacker without privileges can gain administrative privileges and control admin objects by exploiting the improper authentication in the password handling for the type “None” as defined by the Staging Sync Server. CVE-2025-2749: A remote attacker with high privileges can upload arbitrary files to any location and execute path traversal by exploiting this improper limitation of a pathname to a restricted directory vulnerability. This can allow the attacker to execute code remotely on the server side, which can lead to complete system compromise.

EPSS 4.89% · 89.8th percentile

Risk Scores

CVSS 4.0
9.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
EPSS Score
4.89%
89.8th percentile

Timeline

  • Mar 24, 2025 CVE Published
  • Mar 24, 2025 PoC Published
  • Mar 25, 2025 EPSS Score
  • Apr 7, 2025 EPSS Score
  • Apr 20, 2025 EPSS Score
  • May 3, 2025 EPSS Score
  • May 17, 2025 EPSS Score
  • Jun 12, 2025 EPSS Score
  • Jun 25, 2025 EPSS Score
  • Jul 8, 2025 EPSS Score
  • Jul 21, 2025 EPSS Score
  • Aug 3, 2025 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›