CVE-2025-20002 GMOD CVE debrief

Who should care

GMOD Apollo administrators, operators, and anyone exposing the application’s file-upload functionality should review this advisory. Security teams responsible for application hardening and disclosure handling should also care, especially where local path details could aid further targeting.

Technical summary

The advisory describes an information disclosure issue in GMOD Apollo versions before 2.8.0. When file upload prerequisites are not met, the application may return local filesystem path information. The provided CVSS vector indicates network attackability, no privileges required, no user interaction, and a limited confidentiality impact (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

Defensive priority

Medium priority. The flaw does not affect integrity or availability, but local path disclosure can still help attackers map deployments or support follow-on attacks. Upgrade planning should be straightforward because a fixed version is identified.

Recommended defensive actions

• Upgrade GMOD Apollo to version 2.8.0 or later.
• Review any exposed upload workflows and minimize access to them where possible.
• Ensure error handling does not reveal filesystem paths or other environment details beyond what is necessary.
• Use standard ICS/application hardening and defense-in-depth practices for externally reachable services.

Evidence notes

The source corpus is a CISA CSAF advisory for GMOD Apollo (ICSA-25-063-07) published and modified on 2025-03-04. It lists affected product scope as GMOD Apollo <2.8.0, states the issue is a local path information disclosure after failed upload prerequisite checks, and recommends updating to 2.8.0. The advisory does not place this CVE in the Known Exploited Vulnerabilities catalog in the supplied data.

Official resources