CVE-2025-63414
Unknown Unknown - Not Provided
Path Traversal in Allsky WebUI Enables Remote Code Execution

Publication date: 2025-12-16

Last updated on: 2025-12-16

Assigner: MITRE

Description
A Path Traversal vulnerability in the Allsky WebUI version v2024.12.06_06 allows an unauthenticated remote attacker to achieve arbitrary command execution. By sending a crafted HTTP request to the /html/execute.php endpoint with a malicious payload in the id parameter, an attacker can execute arbitrary commands on the underlying operating system, leading to full remote code execution (RCE).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-16
Last Modified
2025-12-16
Generated
2026-06-16
AI Q&A
2025-12-16
EPSS Evaluated
2026-06-14
NVD
CVE-2025-63414
EUVD
EUVD-2025-203804
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
allsky webui *
allsky webui v2024.12.06_06
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows unauthenticated remote attackers to execute arbitrary commands on the underlying operating system, leading to full remote code execution and complete compromise of confidentiality, integrity, and availability of the application and system. Such a compromise can result in unauthorized access to sensitive data, disruption of services, and potential data breaches, which would negatively impact compliance with common standards and regulations like GDPR and HIPAA that require protection of personal and sensitive information and maintaining system integrity and availability. [2]

Executive Summary

CVE-2025-63414 is a critical Remote Code Execution (RCE) vulnerability in the Allsky WebUI project. It occurs due to improper input validation and insecure command execution in the execute.php script. An unauthenticated remote attacker can send a crafted HTTP request to the /html/execute.php endpoint with a malicious payload in the id parameter. The vulnerability arises because the id parameter is used to construct system commands without proper sanitization, allowing attackers to execute arbitrary commands on the underlying operating system. This leads to full remote code execution under the privileges of a high-privilege user. [2]

Impact Analysis

This vulnerability can lead to full remote code execution on the affected system, allowing an attacker to run arbitrary commands with high privileges. This compromises the confidentiality, integrity, and availability of both the Allsky WebUI application and the underlying operating system. An attacker could potentially take complete control of the system, access sensitive data, modify or delete files, and disrupt services. [2]

Detection Guidance

You can detect this vulnerability by monitoring HTTP requests to the /html/execute.php endpoint for suspicious or crafted requests containing the id parameter with commands such as 'allsky-config whoami' or 'allsky-config cat /etc/passwd'. For example, using curl to test if the endpoint executes commands: curl 'http://[TARGET-IP]/html/execute.php?id=allsky-config%20whoami'. Additionally, inspecting web server logs for unusual requests to /html/execute.php with the id parameter containing command-like strings can help detect exploitation attempts. [2]

Mitigation Strategies

Immediate mitigation steps include: 1) Implementing a strict whitelist of allowed commands to prevent arbitrary command execution. 2) Replacing the use of escapeshellcmd() with escapeshellarg() to properly escape command arguments. 3) Restricting sudo privileges to minimize the scope of commands that can be executed by the ALLSKY_OWNER user. 4) Employing defense-in-depth strategies such as additional input validation and access control to limit access to the vulnerable endpoint. Until a patch is applied, consider restricting access to the /html/execute.php endpoint to trusted users only. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-63414. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart