CVE-2025-14532

Critical

Published: 02 March 2026

Published

02 March 2026

Modified

05 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0027 50.0th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-14532 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Studiofabryka Dorbycms. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 50.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mandates validation of file upload inputs to reject dangerous types and extensions, preventing RCE from unrestricted uploads.

SI-9 Information Input Restrictions good match

prevent

Enforces restrictions on classes of files that can be uploaded, blocking arbitrary file types that enable RCE.

SC-14 Public Access Protections good match

prevent

Protects publicly accessible upload endpoints by enforcing authorizations and preventing unauthorized file transfers leading to RCE.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Unrestricted unauthenticated file upload in public-facing CMS enables exploitation of public-facing application (T1190) and direct deployment of web shells (T1100) for RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

DobryCMS's upload file functionality allows an unauthenticated remote attacker to upload files of any type and extension without restriction, which can result in Remote Code Execution. This issue was fixed in versions above 5.0.

Deeper analysisAI

CVE-2025-14532 is a critical vulnerability in DobryCMS's file upload functionality, which permits unauthenticated remote attackers to upload files of any type and extension without restrictions. This flaw affects DobryCMS versions 5.0 and earlier, enabling unrestricted file uploads that can lead to remote code execution (RCE). The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its high severity due to network accessibility, low complexity, and lack of privileges required.

An unauthenticated attacker can exploit this vulnerability remotely by accessing the upload endpoint and submitting arbitrary files, such as web shells or executable scripts, without authentication or validation checks. Successful exploitation allows full RCE on the server, potentially granting attackers complete control over the affected DobryCMS instance, including data exfiltration, persistence, or lateral movement within the environment.

The issue was addressed in DobryCMS versions above 5.0, where restrictions on file types and extensions were implemented. Additional details are available in the advisory at https://cert.pl/posts/2026/03/CVE-2025-12462/. Security practitioners should upgrade to a patched version and review upload configurations for similar unrestricted endpoints.