CVE-2025-1066

CVE-2025-1066 is an arbitrary file upload vulnerability affecting OpenPLC_V3, an open-source programmable logic controller software. Published on 2025-02-06, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact compromise across confidentiality, integrity, and availability.

The vulnerability enables remote exploitation over the network with low attack complexity, requiring no authentication privileges or user interaction. Any unauthenticated attacker with network access can upload arbitrary files to the OpenPLC_V3 server, which could be leveraged for malvertising or phishing campaigns by hosting malicious content or payloads.

Advisories point to a patch in the OpenPLC_v3 GitHub repository via commit d1b1a3b7e97f2b3fef0876056cf9d7879991744a. Further details on the vulnerability discovery, including the researcher's experience at Cyberforce 2024, are documented in a Medium article by Ali Muhammad.