CVE-2025-25361
Published: 06 March 2025
Description
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Security Summary
CVE-2025-25361 is an arbitrary file upload vulnerability in the /cms/CmsWebFileAdminController.java component of PublicCMS v4.0.202406. The flaw allows attackers to execute arbitrary code by uploading a crafted SVG or XML file, as documented under CWE-434 (Unrestricted Upload of File with Dangerous Type). It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation enables arbitrary code execution on the targeted system, resulting in high impacts to confidentiality, integrity, and availability.
References include proof-of-concept details hosted on GitHub at https://github.com/c0rdXy/POC/blob/master/CVE/PublicCMS/XSS_02/XSS_02.md, though no specific mitigation steps or patches are outlined in the provided information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Arbitrary file upload vulnerability in PublicCMS allows remote attackers to upload crafted SVG or XML files for arbitrary code execution on a public-facing web application (T1190), facilitating web shell deployment (T1505.003).