CVE-2025-60786
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-15

Last updated on: 2025-12-23

Assigner: MITRE

Description
A Zip Slip vulnerability in the import a Project component of iceScrum v7.54 Pro On-prem allows attackers to execute arbitrary code via uploading a crafted Zip file.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-15
Last Modified
2025-12-23
Generated
2026-06-16
AI Q&A
2025-12-15
EPSS Evaluated
2026-06-15
NVD
CVE-2025-60786
EUVD
EUVD-2025-203399
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kagilum icescrum to 7.54 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-60786 is a Zip Slip vulnerability in the project import feature of iceScrum v7.54 Pro On-prem. It occurs because the software improperly sanitizes file paths when extracting user-uploaded ZIP files. Attackers can craft malicious ZIP archives containing directory traversal sequences (like "../") that allow files to be extracted outside the intended directory. This enables attackers to write arbitrary files anywhere on the server filesystem, potentially leading to remote code execution and other malicious actions. [1]

Impact Analysis

Exploitation of this vulnerability can lead to remote code execution, allowing attackers to run arbitrary code on the server. Other impacts include tampering with configuration files, disrupting services, and exfiltrating sensitive data. Since iceScrum allows self-registration by default, any self-registered user can exploit this vulnerability via the import feature, increasing the risk and severity of attacks. [1]

Detection Guidance

Detection can involve monitoring for attempts to upload ZIP files via the project import feature that contain directory traversal sequences such as "../" in file paths. Since the vulnerability involves extracting crafted ZIP files, inspecting uploaded ZIP archives for suspicious paths is key. Specific commands are not provided in the resources, but administrators can check uploaded ZIP contents manually or with scripts that scan for directory traversal patterns. Network monitoring for unusual POST requests to the import endpoint may also help detect exploitation attempts. [1]

Mitigation Strategies

Immediate mitigation steps include applying the official security patches provided by iceScrum for versions up to 7.5.4. If patches are not yet available, disabling the project import feature temporarily is recommended to prevent exploitation. Additionally, restricting self-registration or limiting access to the import functionality can reduce risk. [1]

Compliance Impact

The provided resources do not specify how the CVE-2025-60786 vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-60786. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart