CVE-2025-10465
Published: 09 February 2026
Summary
CVE-2025-10465 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Gov (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-10465 is an Unrestricted Upload of File with Dangerous Type vulnerability (CWE-434) in Sensaway, a product from Birtech Information Technologies Industry and Trade Ltd. Co. The flaw enables attackers to upload a web shell to the web server, affecting all versions of Sensaway through 09022026. It carries a CVSS v3.1 base score of 8.8 (High), reflecting network accessibility, low attack complexity, low privileges required, no user interaction needed, and high impacts on confidentiality, integrity, and availability.
The vulnerability can be exploited by low-privileged authenticated users (PR:L) over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows attackers to upload malicious files, such as web shells, granting them high-level control over the server, including potential remote code execution, data exfiltration, modification of system files, and denial of service.
The advisory from USOM (https://www.usom.gov.tr/bildirim/tr-26-0022) notes that the product was developed using outdated technology, rendering the manufacturer unable to provide fixes for this and related vulnerabilities. Users are advised to contact the manufacturer directly and evaluate updated products built with newer technology for mitigation. No patches are available for the affected versions.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207364
Vulnerability details
Unrestricted Upload of File with Dangerous Type vulnerability in Birtech Information Technologies Industry and Trade Ltd. Co. Sensaway allows Upload a Web Shell to a Web Server. This issue affects Sensaway: through 09022026. NOTE: Because the product was developed using…
more
outdated technology, the manufacturer is unable to fix the relevant vulnerabilities. Users of the Sensaway application are advised to contact the manufacturer and review updated products developed with newer technology.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload (CWE-434) directly enables web shell deployment on a public-facing web server (T1505.003) and is exploitable via network access to a public-facing application (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly validates file uploads to reject dangerous types and contents like web shells, preventing exploitation of the unrestricted upload vulnerability.
Monitors the system for malicious code such as uploaded web shells and blocks or quarantines them to mitigate remote code execution.
Replaces unsupported and unpatchable outdated components like Sensaway with vendor-supported alternatives, eliminating the vulnerability as recommended by the advisory.