CVE-2025-63695
Published: 18 November 2025
Description
DzzOffice v2.3.7 and before is vulnerable to Arbitrary File Upload in /dzz/system/ueditor/php/controller.php.
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates unrestricted arbitrary file uploads by implementing validation checks on file type, content, and format in the vulnerable PHP controller.
Enforces authentication and authorization for the file upload endpoint, blocking unauthenticated remote exploitation.
Scans and eradicates malicious code in uploaded files, such as webshells, at system entry points to limit damage from successful uploads.
Security SummaryAI
CVE-2025-63695 is an arbitrary file upload vulnerability in DzzOffice versions 2.3.7 and prior, affecting the component /dzz/system/ueditor/php/controller.php. Published on 2025-11-18, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical, and maps to CWE-434 (Unrestricted Upload of File with Dangerous Type).
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation enables high-impact compromise of confidentiality, integrity, and availability, allowing attackers to upload arbitrary files, potentially leading to remote code execution or full server control.
References include GitHub repositories and issues such as https://github.com/Yohane-Mashiro/dzzoffice_upload (listed twice) and https://github.com/zyx0814/dzzoffice/issues/365, which document the vulnerability and likely include proof-of-concept demonstrations. No specific patch or mitigation details are detailed in the provided information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated arbitrary file upload to web root in public-facing DzzOffice web application enables exploitation for initial access, allowing upload of malicious HTML/JS for persistent XSS.