CVE-2025-0471

Critical

Published: 16 January 2025

Published

16 January 2025

Modified

07 May 2025

KEV Added

—

Patch

—

CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0017 38.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Unrestricted file upload vulnerability in the PMB platform, affecting versions 4.0.10 and above. This vulnerability could allow an attacker to upload a file to gain remote access to the machine, being able to access, modify and execute commands freely.

Security Summary

CVE-2025-0471 is an unrestricted file upload vulnerability in the PMB platform, affecting versions 4.0.10 and above. This flaw, linked to CWE-434 (Unrestricted Upload of File with Dangerous Type), enables attackers to upload malicious files, potentially leading to remote code execution. The vulnerability carries a CVSS v3.1 base score of 9.9, reflecting its critical severity due to network accessibility, low complexity, and high impact across confidentiality, integrity, and availability.

An attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) without user interaction (UI:N). Successful exploitation allows uploading a malicious file, granting remote access to the affected machine. This enables the attacker to freely access data, modify files, and execute arbitrary commands, with the high scope (S:C) amplifying risks to the entire system.

The INCIBE-CERT advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-pmb-platform details this among multiple vulnerabilities in the PMB platform, though specific mitigation steps such as patches or workarounds are outlined in the full notice.

Details

CWE(s): CWE-434

Affected Products

sigb

pmb

≥ 4.0.10

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-pmb-platform
Third Party Advisory · cve-coordination@incibe.es