CVE-2025-63601
Published: 05 November 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-63601, published on 2025-11-05, is a remote code execution vulnerability affecting Snipe-IT versions before 8.3.3. The issue, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). It enables an authenticated attacker to upload a malicious backup file containing arbitrary files, resulting in the execution of system commands on the server.
The vulnerability can be exploited by an attacker with low-privilege authenticated access over the network. Exploitation requires low complexity and no user interaction, with a changed scope that amplifies impact to high levels across confidentiality, integrity, and availability. Successful attacks allow arbitrary system command execution, potentially leading to full server compromise.
Official mitigation is provided via upgrade to Snipe-IT version 8.3.3, as detailed in the GitHub release tag. A corresponding fix is included in pull request #17966 on the Snipe-IT repository. Additional advisory details and proof-of-concept information are available from DappSec and FPT Cloud references.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a remote code execution via unrestricted file upload in a web application (Snipe-IT), directly enabling exploitation of a public-facing or remotely accessible application (T1190). With low-privilege authentication required, it facilitates privilege escalation through RCE (T1068).