Cyber Posture

CVE-2025-56704

HighPublic PoC

Published: 09 December 2025

Published
09 December 2025
Modified
11 December 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0013 31.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

LeptonCMS version 7.3.0 contains an arbitrary file upload vulnerability, which is caused by the lack of proper validation for uploaded files. An authenticated attacker can exploit this vulnerability by uploading a specially crafted ZIP/PHP file to execute arbitrary code.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 directly mandates validation of uploaded files to block dangerous types like PHP-in-ZIP, addressing the core lack of proper file validation in this CVE.

SI-9 Information Input Restrictions good match
prevent

SI-9 enforces restrictions on file types, extensions, and sizes at upload boundaries to prevent unrestricted dangerous file uploads.

SI-3 Malicious Code Protection good match
preventdetect

SI-3 requires scanning uploads for malicious code, preventing or detecting PHP shells and other exploits from arbitrary file uploads.

Security SummaryAI

CVE-2025-56704, published on 2025-12-09, is an arbitrary file upload vulnerability in LeptonCMS version 7.3.0. The flaw stems from a lack of proper validation for uploaded files, earning a CVSS 3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and mapping to CWE-434 (Unrestricted Upload of File with Dangerous Type).

An authenticated attacker with low privileges can exploit the vulnerability remotely over the network with low complexity and no user interaction required. By uploading a specially crafted ZIP/PHP file, the attacker achieves arbitrary code execution, resulting in high impacts to confidentiality, integrity, and availability.

Advisories and additional details on the vulnerability, including potential mitigations, are documented in the vendor notice at http://lepton.com and technical reports available at https://github.com/Kayi626/Vulns/blob/UserAccount/LEPTON_CMS_7.3.0_File_Upload_A.pdf, https://github.com/Kayi626/Vulns/blob/UserAccount/LEPTON_CMS_7.3.0_File_Upload_B.pdf, and https://github.com/Kayi626/Vulns/blob/UserAccount/LEPTON_CMS_7.3.0_File_Upload_C.pdf.

Details

CWE(s)
CWE-434

Affected Products

lepton-cms
leptoncms
7.3.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
Why these techniques?

Arbitrary file upload vulnerability allows authenticated attackers to upload malicious PHP files for remote code execution, mapping to exploitation of public-facing applications (T1190) and web shell deployment (T1100, T1505.003).

References