Cyber Posture

CVE-2025-14532

Critical

Published: 02 March 2026

Published
02 March 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0025 48.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

DobryCMS's upload file functionality allows an unauthenticated remote attacker to upload files of any type and extension without restriction, which can result in Remote Code Execution. This issue was fixed in versions above 5.0.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mandates validation of file upload inputs to reject dangerous types and extensions, preventing RCE from unrestricted uploads.

SI-9 Information Input Restrictions good match
prevent

Enforces restrictions on classes of files that can be uploaded, blocking arbitrary file types that enable RCE.

SC-14 Public Access Protections good match
prevent

Protects publicly accessible upload endpoints by enforcing authorizations and preventing unauthorized file transfers leading to RCE.

Security SummaryAI

CVE-2025-14532 is a critical vulnerability in DobryCMS's file upload functionality, which permits unauthenticated remote attackers to upload files of any type and extension without restrictions. This flaw affects DobryCMS versions 5.0 and earlier, enabling unrestricted file uploads that can lead to remote code execution (RCE). The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its high severity due to network accessibility, low complexity, and lack of privileges required.

An unauthenticated attacker can exploit this vulnerability remotely by accessing the upload endpoint and submitting arbitrary files, such as web shells or executable scripts, without authentication or validation checks. Successful exploitation allows full RCE on the server, potentially granting attackers complete control over the affected DobryCMS instance, including data exfiltration, persistence, or lateral movement within the environment.

The issue was addressed in DobryCMS versions above 5.0, where restrictions on file types and extensions were implemented. Additional details are available in the advisory at https://cert.pl/posts/2026/03/CVE-2025-12462/. Security practitioners should upgrade to a patched version and review upload configurations for similar unrestricted endpoints.

Details

CWE(s)
CWE-434

Affected Products

studiofabryka
dorbycms
1.0 — 5.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
Why these techniques?

Unrestricted unauthenticated file upload in public-facing CMS enables exploitation of public-facing application (T1190) and direct deployment of web shells (T1100) for RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References