CVE-2025-34076
BaseFortify
Publication date: 2025-07-02
Last updated on: 2025-08-20
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| microweber | microweber | to 1.2.11 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-34076 is an authenticated Local File Inclusion (LFI) vulnerability in Microweber CMS versions up to 1.2.11. It occurs through misuse of the backup management API, specifically the /api/BackupV2/upload and /api/BackupV2/download endpoints. Authenticated users can specify an absolute file path in the upload request's src parameter, which may cause the server to relocate or delete the target file depending on permissions. Then, the download endpoint can be used to retrieve the file contents, allowing an attacker to read arbitrary files from the server's filesystem. This happens due to insufficient validation of user-supplied paths and inadequate restrictions on file access and backup logic. [2, 4]
How can this vulnerability impact me? :
This vulnerability allows an authenticated user with limited privileges to read arbitrary files on the server hosting Microweber CMS by exploiting the backup API. Depending on the web service user's privileges, the attacker may also cause relocation or deletion of files. This can lead to unauthorized disclosure of sensitive information stored on the server, potential data loss, and compromise of system integrity. The vulnerability has a medium severity with a CVSS v4 base score of 6.1. [2, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by verifying if your Microweber CMS instance is version 1.2.11 or earlier and by checking if the backup API endpoints /api/BackupV2/upload and /api/BackupV2/download are accessible and exploitable. Using the Metasploit auxiliary module for CVE-2025-34076 can automate detection by performing the following steps: 1) Checking the Microweber version via the admin login page, 2) Logging in with valid credentials via /api/user_login, 3) Attempting to upload a file using the /api/BackupV2/upload endpoint with a crafted src parameter, and 4) Downloading the file via /api/BackupV2/download to confirm arbitrary file read. Commands involve sending HTTP requests to these endpoints with appropriate parameters and authentication. For example, using curl or similar tools to POST login credentials and GET requests to upload and download endpoints with path traversal payloads can help detect the vulnerability. [4, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating Microweber CMS to a version later than 1.2.11 where the vulnerability is patched. The patches introduce strict validation on file paths and file extensions for the backup upload and download API endpoints, including sanitizing input to remove directory traversal sequences and restricting downloadable files to .json and .zip extensions only. If updating is not immediately possible, restrict access to the backup API endpoints to trusted users only, enforce strong authentication, and monitor for suspicious activity involving these endpoints. Applying the security patches from the official Microweber repository that implement these validations is critical to prevent exploitation. [1, 3]