Cyber Resilience

CVE-2025-10465

HighUpdated

Published: 09 February 2026

Published
09 February 2026
Modified
05 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0039 30.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-10465 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Gov (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-10465 is an Unrestricted Upload of File with Dangerous Type vulnerability (CWE-434) in Sensaway, a product from Birtech Information Technologies Industry and Trade Ltd. Co. The flaw enables attackers to upload a web shell to the web server, affecting all versions of Sensaway through 09022026. It carries a CVSS v3.1 base score of 8.8 (High), reflecting network accessibility, low attack complexity, low privileges required, no user interaction needed, and high impacts on confidentiality, integrity, and availability.

The vulnerability can be exploited by low-privileged authenticated users (PR:L) over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows attackers to upload malicious files, such as web shells, granting them high-level control over the server, including potential remote code execution, data exfiltration, modification of system files, and denial of service.

The advisory from USOM (https://www.usom.gov.tr/bildirim/tr-26-0022) notes that the product was developed using outdated technology, rendering the manufacturer unable to provide fixes for this and related vulnerabilities. Users are advised to contact the manufacturer directly and evaluate updated products built with newer technology for mitigation. No patches are available for the affected versions.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Unrestricted Upload of File with Dangerous Type vulnerability in Birtech Information Technologies Industry and Trade Ltd. Co. Sensaway allows Upload a Web Shell to a Web Server. This issue affects Sensaway: through 09022026. NOTE: Because the product was developed using…

more

outdated technology, the manufacturer is unable to fix the relevant vulnerabilities. Users of the Sensaway application are advised to contact the manufacturer and review updated products developed with newer technology.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unrestricted file upload (CWE-434) directly enables web shell deployment on a public-facing web server (T1505.003) and is exploitable via network access to a public-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-22654Shared CWE-434
CVE-2025-11948Shared CWE-434
CVE-2025-67260Shared CWE-434
CVE-2025-28915Shared CWE-434
CVE-2023-53956Shared CWE-434
CVE-2025-6058Shared CWE-434
CVE-2021-47819Shared CWE-434
CVE-2025-7852Shared CWE-434
CVE-2026-4883Shared CWE-434
CVE-2019-25630Shared CWE-434

Affected Assets

Gov
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates file uploads to reject dangerous types and contents like web shells, preventing exploitation of the unrestricted upload vulnerability.

preventdetect

Monitors the system for malicious code such as uploaded web shells and blocks or quarantines them to mitigate remote code execution.

prevent

Replaces unsupported and unpatchable outdated components like Sensaway with vendor-supported alternatives, eliminating the vulnerability as recommended by the advisory.

References