CVE-2025-15228

Critical

Published: 29 December 2025

Published

29 December 2025

Modified

31 December 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0035 57.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

BPMFlowWebkit developed by WELLTEND TECHNOLOGY has a Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 requires validation of all information inputs, directly preventing arbitrary file uploads that enable web shell deployment in BPMFlowWebkit.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates timely flaw remediation, addressing the specific arbitrary file upload vulnerability in BPMFlowWebkit via patching.

SI-3 Malicious Code Protection good match

preventdetect

SI-3 deploys malicious code protection at entry points to detect and eradicate web shells uploaded through the vulnerability.

Security SummaryAI

CVE-2025-15228 is an Arbitrary File Upload vulnerability (CWE-434) affecting BPMFlowWebkit, a product developed by WELLTEND TECHNOLOGY. Published on 2025-12-29, the flaw enables unauthenticated remote attackers to upload web shell backdoors and execute them, resulting in arbitrary code execution on the server. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its high impact on confidentiality, integrity, and availability.

The attack scenario targets systems exposing BPMFlowWebkit over the network. Unauthenticated remote attackers require no privileges, user interaction, or special conditions beyond network access and low attack complexity. Exploitation allows attackers to upload malicious files that serve as web shells, providing persistent remote code execution capabilities on the server and potentially full system compromise.

Advisories from TWCERT/CC detail the vulnerability, with English and Traditional Chinese versions available at https://www.twcert.org.tw/en/cp-139-10605-426b6-2.html and https://www.twcert.org.tw/tw/cp-132-10604-c65aa-1.html, respectively. These resources provide further guidance on identification and mitigation for affected deployments.

Details

CWE(s): CWE-434

Affected Products

welltend

bpmflowwebkit

≤ 5.0.5

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Arbitrary file upload in public-facing web application (BPMFlowWebkit) enables exploitation of public-facing application (T1190) and facilitates deployment/execution of web shells (T1505.003) for RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.twcert.org.tw/en/cp-139-10605-426b6-2.html
Third Party Advisory · twcert@cert.org.tw
https://www.twcert.org.tw/tw/cp-132-10604-c65aa-1.html
Third Party Advisory · twcert@cert.org.tw