CVE-2025-2216
Published: 12 March 2025
Description
Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting.
Security Summary
CVE-2025-2216, published on 2025-03-12, is a critical vulnerability in the zzskzy Warehouse Refinement Management System version 1.3. It affects the UploadCrash function within the file /crash/log/SaveCrash.ashx, where manipulation of the "file" argument enables unrestricted file upload. The issue is associated with CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type), and it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
A remote attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. By manipulating the file upload argument, the attacker achieves limited impacts on confidentiality, integrity, and availability, potentially allowing upload of malicious files.
Advisories from VulDB indicate that the vendor was contacted early regarding the disclosure but provided no response or patch. The exploit has been publicly disclosed, including in a GitHub repository, and may be actively used by attackers.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unrestricted file upload vulnerability in public-facing web endpoint (/crash/log/SaveCrash.ashx) enables exploitation of public-facing applications (T1190) and facilitates uploading tools for staging capabilities (T1608.002), as explicitly mapped in advisories and leading to RCE.