Cyber Resilience

CVE-2025-1066

Critical

Published: 06 February 2025

Published
06 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0019 40.7th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1066 is a critical-severity an unspecified weakness vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-1066 is an arbitrary file upload vulnerability affecting OpenPLC_V3, an open-source programmable logic controller software. Published on 2025-02-06, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact compromise across confidentiality, integrity, and availability.

The vulnerability enables remote exploitation over the network with low attack complexity, requiring no authentication privileges or user interaction. Any unauthenticated attacker with network access can upload arbitrary files to the OpenPLC_V3 server, which could be leveraged for malvertising or phishing campaigns by hosting malicious content or payloads.

Advisories point to a patch in the OpenPLC_v3 GitHub repository via commit d1b1a3b7e97f2b3fef0876056cf9d7879991744a. Further details on the vulnerability discovery, including the researcher's experience at Cyberforce 2024, are documented in a Medium article by Ali Muhammad.

EU & UK References

Vulnerability details

OpenPLC_V3 contains an arbitrary file upload vulnerability, which could be leveraged for malvertising or phishing campaigns.

CWE(s)
None listed

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Arbitrary unauthenticated file upload on public-facing web app directly enables remote exploitation (T1190), ingress of tools/payloads (T1105), and web shell deployment (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates uploaded files for type, content, and format to directly prevent arbitrary file uploads by remote unauthenticated attackers.

prevent

Requires timely installation of vendor patches, such as the specific commit fixing CVE-2025-1066 in OpenPLC_V3.

prevent

Restricts and documents permitted actions without authentication, prohibiting unauthenticated file uploads over the network.

References