PatchSiren cyber security CVE debrief
CVE-2025-60085 ThemeREX Group CVE debrief
CVE-2025-60085 is an Unauthenticated Local File Inclusion vulnerability in Learnify versions <= 1.15.0. The vulnerability has a CVSS score of 8.1 and is classified as HIGH severity. The CVE record was published on 2026-06-17T13:19:15.317Z and was last modified on 2026-06-17T14:45:15.717Z. This vulnerability allows unauthenticated attackers to include local files, potentially leading to data breaches or system compromise. Users of Learnify versions <= 1.15.0 should apply patches or mitigations to prevent exploitation.
- Vendor
- ThemeREX Group
- Product
- Learnify
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-17
- Original CVE updated
- 2026-06-17
- Advisory published
- 2026-06-17
- Advisory updated
- 2026-06-17
Who should care
Users of Learnify versions <= 1.15.0, security teams, and system administrators should be aware of this vulnerability and take necessary actions to prevent exploitation. This includes applying patches or mitigations, monitoring for suspicious activity, and verifying Learnify version and inventory vulnerable instances.
Technical summary
The vulnerability exists in Learnify versions <= 1.15.0 and allows unauthenticated attackers to include local files. The CVSS vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a high severity vulnerability. This could allow attackers to access sensitive information or execute arbitrary code. The vulnerability is a result of insufficient input validation and sanitization in the Learnify application.
Defensive priority
High priority should be given to patching or mitigating this vulnerability in Learnify versions <= 1.15.0 to prevent potential exploitation.
Recommended defensive actions
- Apply patches or updates to Learnify versions <= 1.15.0
- Implement compensating controls to restrict file inclusion
- Monitor for suspicious activity related to file inclusion
- Verify Learnify version and inventory vulnerable instances
- Review system logs for potential exploitation attempts
Evidence notes
The CVE record and NVD entry provide details on the vulnerability. The vendor, ThemeREX Group, and the researcher, [email protected], have provided information on the vulnerability. However, the scope of affected products and potential impact are still being verified. Defenders should review the official advisory and CVE record to validate affected scope, severity, and vendor guidance.
Official resources
-
CVE-2025-60085 CVE record
CVE.org
-
CVE-2025-60085 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T13:19:15.317Z and has not been modified since then. The NVD entry is currently Deferred.