CVE-2025-9461
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-26

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in diyhi bbs up to 6.8. The impacted element is an unknown function of the file src/main/java/cms/web/action/filePackage/FilePackageManageAction.java of the component File Compression Handler. This manipulation of the argument idGroup causes information disclosure. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-26
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-08-26
EPSS Evaluated
2026-06-14
NVD
CVE-2025-9461
EUVD
EUVD-2025-25787
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
diyhi bbs to 6.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-NVD-CWE-noinfo
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-9461 is an information disclosure vulnerability in diyhi bbs up to version 6.8. It exists in the File Compression Handler component, specifically in the file src/main/java/cms/web/action/filePackage/FilePackageManageAction.java. The vulnerability arises from improper handling of the idGroup argument, which can be manipulated remotely to compress and download sensitive files, including database credential configuration files. This leads to leakage of sensitive information due to improper access control in the file packaging and download feature. [1, 2]

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information such as database account passwords and other confidential files. An attacker can remotely exploit this flaw to access and download sensitive files without proper authorization, potentially compromising the confidentiality of your system and data. This could result in further attacks or data breaches. [1, 2]

Detection Guidance

Detection of this vulnerability can be performed by monitoring for unusual requests manipulating the 'idGroup' parameter in the file packaging and download feature of diyhi bbs up to version 6.8, specifically targeting the endpoint related to FilePackageManageAction.java. Since a public proof-of-concept exploit is available, network intrusion detection systems (NIDS) can be configured to alert on suspicious HTTP requests containing 'idGroup' parameters attempting to access compressed archives. Additionally, reviewing web server logs for requests to the file packaging functionality with unusual or unauthorized 'idGroup' values can help detect exploitation attempts. Specific commands depend on your environment, but examples include using grep on web server logs: `grep 'idGroup=' /var/log/httpd/access_log` or `grep 'idGroup=' /var/log/nginx/access.log` to identify suspicious access patterns. [1, 2]

Mitigation Strategies

Immediate mitigation steps include restricting access to the file packaging and download functionality to authorized users only, applying strict input validation and access control on the 'idGroup' parameter to prevent unauthorized file access, and monitoring for exploitation attempts. Since no known countermeasures or patches are documented, consider disabling the vulnerable feature if possible or replacing the affected component or product. Additionally, monitor cyber threat intelligence sources for updates or patches and apply them once available. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-9461. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart