Cyber Resilience

CVE-2025-15228

Critical

Published: 29 December 2025

Published
29 December 2025
Modified
31 December 2025
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0051 39.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-15228 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Welltend Bpmflowwebkit. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-15228 is an Arbitrary File Upload vulnerability (CWE-434) affecting BPMFlowWebkit, a product developed by WELLTEND TECHNOLOGY. Published on 2025-12-29, the flaw enables unauthenticated remote attackers to upload web shell backdoors and execute them, resulting in arbitrary code execution on the server. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its high impact on confidentiality, integrity, and availability.

The attack scenario targets systems exposing BPMFlowWebkit over the network. Unauthenticated remote attackers require no privileges, user interaction, or special conditions beyond network access and low attack complexity. Exploitation allows attackers to upload malicious files that serve as web shells, providing persistent remote code execution capabilities on the server and potentially full system compromise.

Advisories from TWCERT/CC detail the vulnerability, with English and Traditional Chinese versions available at https://www.twcert.org.tw/en/cp-139-10605-426b6-2.html and https://www.twcert.org.tw/tw/cp-132-10604-c65aa-1.html, respectively. These resources provide further guidance on identification and mitigation for affected deployments.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

BPMFlowWebkit developed by WELLTEND TECHNOLOGY has a Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Arbitrary file upload in public-facing web application (BPMFlowWebkit) enables exploitation of public-facing application (T1190) and facilitates deployment/execution of web shells (T1505.003) for RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2021-47888Shared CWE-434
CVE-2025-1028Shared CWE-434
CVE-2025-25361Shared CWE-434
CVE-2025-69559Shared CWE-434
CVE-2025-46384Shared CWE-434
CVE-2026-35047Shared CWE-434
CVE-2025-10041Shared CWE-434
CVE-2020-36863Shared CWE-434
CVE-2025-57794Shared CWE-434
CVE-2025-21624Shared CWE-434

Affected Assets

welltend
bpmflowwebkit
≤ 5.0.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation of all information inputs, directly preventing arbitrary file uploads that enable web shell deployment in BPMFlowWebkit.

prevent

SI-2 mandates timely flaw remediation, addressing the specific arbitrary file upload vulnerability in BPMFlowWebkit via patching.

preventdetect

SI-3 deploys malicious code protection at entry points to detect and eradicate web shells uploaded through the vulnerability.

References