RCE via Path Traversal in Google SecOps SOAR 6.3.54/older ZIP Import
CVE-2025-9918 Published on September 11, 2025
Zip Slip in Google SecOps SOAR allows for Remote Code Execution
A Path Traversal vulnerability in the archive extraction component in Google SecOps SOAR Server (versions 6.3.54.0, 6.3.53.2, and all prior versions) allows an authenticated attacker with permissions to import Use Cases to achieve Remote Code Execution (RCE) via uploading a malicious ZIP archive containing path traversal sequences.
Weakness Type
What is a Directory traversal Vulnerability?
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CVE-2025-9918 has been classified to as a Directory traversal vulnerability or weakness.
Products Associated with CVE-2025-9918
Want to know whenever a new CVE is published for Google Secops Soar? stack.watch will email you.
Affected Versions
Google Cloud Google SecOps SOAR:- Before 6.3.54.0 is affected.
- Before 6.3.53.2 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.