CVE-2025-15226

Critical

Published: 29 December 2025

Published

29 December 2025

Modified

31 December 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0035 57.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

WMPro developed by Sunnet has a Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the arbitrary file upload vulnerability by requiring timely application of patches or updates specific to CVE-2025-15226.

SI-10 Information Input Validation good match

prevent

Validates the format, type, and content of uploaded files to block dangerous web shells and prevent unrestricted file uploads.

AC-3 Access Enforcement good match

prevent

Enforces access control policies requiring authentication for file upload endpoints, blocking unauthenticated remote attackers.

Security SummaryAI

CVE-2025-15226 is an arbitrary file upload vulnerability in WMPro, a product developed by Sunnet. The flaw enables unauthenticated remote attackers to upload web shell backdoors and execute them, resulting in arbitrary code execution on the server. It is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its high impact on confidentiality, integrity, and availability.

Any unauthenticated attacker with network access can exploit this vulnerability without requiring privileges, user interaction, or complex conditions. Successful exploitation allows attackers to upload malicious files, execute web shells, and achieve full remote code execution on the server, potentially leading to complete system compromise, data theft, or further lateral movement.

Advisories from Taiwan CERT (TWCERT) provide details on the vulnerability at https://www.twcert.org.tw/en/cp-139-10603-67149-2.html and https://www.twcert.org.tw/tw/cp-132-10602-c1c69-1.html, which security practitioners should consult for recommended mitigations and patches.

Details

CWE(s): CWE-434

Affected Products

sun.net

wmpro

5.0 — 5.2

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

The vulnerability allows unauthenticated remote exploitation of a public-facing web application (T1190) to upload and execute web shells (T1100), directly enabling arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.twcert.org.tw/en/cp-139-10603-67149-2.html
Third Party Advisory · twcert@cert.org.tw
https://www.twcert.org.tw/tw/cp-132-10602-c1c69-1.html
Third Party Advisory · twcert@cert.org.tw