Directory Traversal Vulnerability in RaspAP Web GUI by RaspAP
CVE-2025-44163

6.3MEDIUM

Key Information:

Vendor: RaspAP
Status: raspap-webgui
Vendor: CVE Published:; 27 June 2025

What is CVE-2025-44163?

The RaspAP Web GUI version 3.3.1 has a vulnerability that allows an authenticated attacker to exploit the ajax/networking/get_wgkey.php script. By crafting a specific POST request with a malicious path traversal payload in the entity parameter, the attacker can manipulate the tee command executed on the server, potentially overwriting arbitrary files that are writable by the web server. This could lead to unauthorized access or modification of critical files, compromising the integrity of the web application and the underlying system.

References

https://github.com/RaspAP/raspap-webgui/blob/125ae7a39ad7...

https://gist.github.com/YichaoXu/3694f039a3d1b973efd068e4...

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 27, 2025
Vulnerability Reserved
Apr 22, 2025

JSON