Tileserver - Path Traversal (CVE-2025-44137)

CVE-2025-44137 is a directory traversal vulnerability in MapTiler Tileserver-php v2.0, where improper handling of file paths in the renderTile function allows attackers to use specially crafted GET parameters to access arbitrary files on the server. This flaw could be exploited remotely to read sensitive files, potentially exposing confidential information or system credentials.

CrowdSec has been tracking this vulnerability and its exploits since 26th of November 2025.

Data from the CrowdSec community indicates that exploitation of CVE-2025-44137 is highly selective and intelligence-driven. Threat actors use advanced reconnaissance and carefully choose their targets, often as part of sophisticated campaigns or advanced persistent threat operations. Telemetry from the CrowdSec network also shows that exploitation activity for CVE-2025-44137 remains steady week-over-week. Attack volumes are consistent with long-term trends, indicating sustained interest from threat actors. CVE-2025-44137 continues to be an active part of the threat landscape and will likely remain this way for the forseeable future.

Attackers exploit this vulnerability by sending crafted requests to /tileserver.php with a Format parameter containing directory traversal sequences (e.g., /../../../../etc/passwd) to read arbitrary files from the server.