CVE-2025-2115
Published: 09 March 2025
Description
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Security Summary
CVE-2025-2115 is a vulnerability classified as critical in the zzskzy Warehouse Refinement Management System version 3.1. It affects the ProcessRequest function within the /AcceptZip.ashx file, where manipulation of the 'file' argument enables unrestricted file upload. The issue corresponds to CWEs-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type), with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). The vulnerability was published on 2025-03-09.
Remote attackers with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. Exploitation allows limited impacts on confidentiality, integrity, and availability, primarily through the upload of arbitrary files, which could facilitate further compromise depending on server configurations.
Advisories from VulDB and a related GitHub report indicate that the exploit has been publicly disclosed and may be used in attacks. The vendor was contacted early regarding the issue but provided no response, resulting in no available patches or official mitigations at this time.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unrestricted file upload in public-facing web application (/AcceptZip.ashx) enables exploitation of public-facing application (T1190), ingress tool transfer via arbitrary file upload (T1105), and deployment/execution of web shells or malicious files leading to RCE (T1505.003).