Jira Arbitrary File Write Vulnerability Threatens System Integrity (CVE-2025-22167)
November 7th, 2025
High
Our Cyber Threat Intelligence Unit has identified a high-severity path-traversal/arbitrary-file-write vulnerability in Atlassian Jira Software Data Center and Server, tracked as CVE-2025-22167. This vulnerability allows an authenticated attacker to write arbitrary files to any filesystem location accessible from the Java Virtual Machine (JVM) process. Successful exploitation can result in tampering with configurations, service disruptions, or malware deployment within Jira environments. This vulnerability was introduced in versions 9.12.0 and 10.3.0 and exists through the 11.0.0 branch. Atlassian has released patches (9.12.28, 10.3.12, 11.1.0) and strongly recommends immediate upgrades, especially for internet-exposed instances.
Technical Details
Vulnerability Type: Path Traversal / Arbitrary File Write
CVE ID: CVE-2025-22167
Severity: High (CVSS 8.7)
Authentication Required: Yes – Authenticated User Session
Affected Versions: Introduced in 9.12.0 and 10.3.0 → Present through 11.0.0
Fixed Versions: 9.12.28, 10.3.12, 11.1.0
Initial Vector and Delivery Method:
The vulnerability stems from inadequate input validation in Jira’s file-handling components.
By embedding traversal sequences (../) into crafted HTTP requests, an authenticated attacker can bypass directory restrictions and write arbitrary data to files within directories writable by the JVM.
Although authentication is required, the issue remains exploitable over the network.
It can be chained with other vulnerabilities to achieve configuration manipulation, privilege escalation, or even remote code execution if not adequately secured.
Impact
Exploitation may allow an attacker to:
Modify Jira configuration, project, or workflow files.
Corrupt databases or application components.
Cause denial-of-service (DoS) by overwriting essential system files.
Deploy malware or backdoors via arbitrary file writes.
Tamper with audit or security logs, obscuring activity traces.
Undermine data integrity and availability across Jira environments.
Create potential compliance and regulatory risks in sectors with data-handling obligations.
Detection Method
Log Review: Search web/app logs for traversal patterns (../) in authenticated requests to Jira endpoints.
File Integrity Monitoring (FIM): Detect unauthorized creation or modification of configuration, plugin, or log files under JVM-writable paths.
Change-Control Alerts: Flag modifications to XML, DB, or property files occurring outside scheduled maintenance windows.
System Behavior Monitoring: Investigate unexpected service errors or availability issues that may indicate overwritten or corrupted files.
Backup & Audit Validation: Verify the completeness and consistency of backups and audit logs.
Vendor Diagnostics: Use Atlassian-provided tools to confirm patch levels and detect historical exposure.
After upgrading, review historical logs for prior exploitation indicators and ensure no unauthorized files persist in the environment.
Indicators of Compromise
There are No Indicators of Compromise (IOCs) for this Advisory.
Recommendations
Upgrade immediately to 9.12.28, 10.3.12, or 11.1.0 (or later).
Restrict JVM filesystem permissions to limit write scope.
Segment Jira infrastructure within controlled network zones.
Enforce strong authentication and enable MFA for all users.
Continuously monitor file and configuration integrity using automated tools.
Maintain frequent verified backups to ensure quick recovery.
Track Atlassian Security Advisories for new mitigations or related CVEs.
Note: Jira Service Management Data Center and Server are also affected and require the same fixed LTS releases.
Conclusion
The disclosure of CVE-2025-22167 highlights the ongoing risks of improper input validation in enterprise platforms that handle sensitive workflows and integrations. By allowing arbitrary file writes via authenticated sessions, this vulnerability creates a direct route for data manipulation, service disruption, and secondary compromise when combined with other weaknesses. While Atlassian’s remediation reduces immediate risk, unpatched or externally accessible Jira instances remain vulnerable targets for threat actors seeking persistence or lateral movement within corporate environments. We urge organizations to prioritize immediate patch deployment, validate system integrity post-upgrade, and implement least-privilege and continuous monitoring controls to detect any anomalous file-write activity.