PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-60085 ThemeREX Group CVE debrief

CVE-2025-60085 is an Unauthenticated Local File Inclusion vulnerability in Learnify versions <= 1.15.0. The vulnerability has a CVSS score of 8.1 and is classified as HIGH severity. The CVE record was published on 2026-06-17T13:19:15.317Z and was last modified on 2026-06-17T14:45:15.717Z. This vulnerability allows unauthenticated attackers to include local files, potentially leading to data breaches or system compromise. Users of Learnify versions <= 1.15.0 should apply patches or mitigations to prevent exploitation.

Vendor
ThemeREX Group
Product
Learnify
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-17
Original CVE updated
2026-06-17
Advisory published
2026-06-17
Advisory updated
2026-06-17

Who should care

Users of Learnify versions <= 1.15.0, security teams, and system administrators should be aware of this vulnerability and take necessary actions to prevent exploitation. This includes applying patches or mitigations, monitoring for suspicious activity, and verifying Learnify version and inventory vulnerable instances.

Technical summary

The vulnerability exists in Learnify versions <= 1.15.0 and allows unauthenticated attackers to include local files. The CVSS vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a high severity vulnerability. This could allow attackers to access sensitive information or execute arbitrary code. The vulnerability is a result of insufficient input validation and sanitization in the Learnify application.

Defensive priority

High priority should be given to patching or mitigating this vulnerability in Learnify versions <= 1.15.0 to prevent potential exploitation.

Recommended defensive actions

  • Apply patches or updates to Learnify versions <= 1.15.0
  • Implement compensating controls to restrict file inclusion
  • Monitor for suspicious activity related to file inclusion
  • Verify Learnify version and inventory vulnerable instances
  • Review system logs for potential exploitation attempts

Evidence notes

The CVE record and NVD entry provide details on the vulnerability. The vendor, ThemeREX Group, and the researcher, [email protected], have provided information on the vulnerability. However, the scope of affected products and potential impact are still being verified. Defenders should review the official advisory and CVE record to validate affected scope, severity, and vendor guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T13:19:15.317Z and has not been modified since then. The NVD entry is currently Deferred.