CVE-2025-41735
Published: 18 November 2025
Description
A low privileged remote attacker can upload any file to an arbitrary location due to missing file check resulting in remote code execution.
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of uploaded files to block dangerous types and arbitrary placements, addressing the core missing file check vulnerability.
Enforces access controls to prevent low-privileged remote users from writing files to unauthorized system locations.
Restricts classes of allowed information inputs, such as prohibiting dangerous file types that could lead to RCE.
Security SummaryAI
CVE-2025-41735, published on 2025-11-18, is a high-severity vulnerability (CVSS 8.8, CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). It arises from a missing file check that permits arbitrary file uploads to any location on the affected system, enabling remote code execution.
A low-privileged remote attacker can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows the attacker to achieve high confidentiality, integrity, and availability impacts, including full remote code execution on the target system.
For mitigation details, refer to the advisory at https://certvde.com/de/advisories/VDE-2025-097.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unrestricted arbitrary file upload to any location, leading to remote code execution over the network, directly facilitating T1190: Exploit Public-Facing Application.