CVE-2025-59710

High

Published: 03 April 2026

Published

03 April 2026

Modified

09 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0017 38.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

An issue was discovered in Biztalk360 before 11.5. Because of incorrect access control, any user is able to request the loading a DLL file. During the loading, a method is called. An attacker can craft a malicious DLL, upload it…

to the server, and use it to achieve remote code execution on the server.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations to prevent any user from requesting the loading of DLL files due to incorrect access control.

SI-9 Information Input Restrictions good match

prevent

Restricts file types that can be uploaded to the system, directly mitigating unrestricted upload of dangerous DLLs.

AC-6 Least Privilege good match

prevent

Ensures least privilege so unauthorized users lack permissions to upload or trigger loading of DLLs on the server.

Security SummaryAI

CVE-2025-59710 is a high-severity vulnerability (CVSS 8.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) affecting BizTalk360 versions prior to 11.5, stemming from CWE-434 (Unrestricted Upload of File with Dangerous Type). The flaw arises from incorrect access control, enabling any user to request the loading of a DLL file on the server. During this process, a method within the DLL is invoked, allowing attackers to upload a specially crafted malicious DLL and achieve remote code execution.

An attacker requires only network access and no special privileges (PR:N), though some user interaction is needed (UI:R). From any domain account, the adversary can upload a malicious DLL to the BizTalk360 server and trigger its loading, resulting in arbitrary code execution with the privileges of the server process. This grants high-impact control over confidentiality, integrity, and availability (C:H/I:H/A:H) without changing scope.

The Synacktiv advisory at https://www.synacktiv.com/en/advisories/remote-code-execution-from-any-domain-account-in-biztalk360 provides detailed analysis of the remote code execution achievable from any domain account in BizTalk360. No specific patch details beyond upgrading to version 11.5 or later are outlined in available information.

Details

CWE(s): CWE-434

Affected Products

kovai

biztalk360

≤ 11.6.3963.2611

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability enables remote code execution through unrestricted upload and loading of malicious DLLs in the public-facing BizTalk360 application (AV:N/PR:N), directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.synacktiv.com/en/advisories/remote-code-execution-from-any-domain-account-in-biztalk360
Third Party Advisory · cve@mitre.org