CVE-2025-15228
Published: 29 December 2025
Summary
CVE-2025-15228 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Welltend Bpmflowwebkit. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-15228 is an Arbitrary File Upload vulnerability (CWE-434) affecting BPMFlowWebkit, a product developed by WELLTEND TECHNOLOGY. Published on 2025-12-29, the flaw enables unauthenticated remote attackers to upload web shell backdoors and execute them, resulting in arbitrary code execution on the server. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its high impact on confidentiality, integrity, and availability.
The attack scenario targets systems exposing BPMFlowWebkit over the network. Unauthenticated remote attackers require no privileges, user interaction, or special conditions beyond network access and low attack complexity. Exploitation allows attackers to upload malicious files that serve as web shells, providing persistent remote code execution capabilities on the server and potentially full system compromise.
Advisories from TWCERT/CC detail the vulnerability, with English and Traditional Chinese versions available at https://www.twcert.org.tw/en/cp-139-10605-426b6-2.html and https://www.twcert.org.tw/tw/cp-132-10604-c65aa-1.html, respectively. These resources provide further guidance on identification and mitigation for affected deployments.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-205563
Vulnerability details
BPMFlowWebkit developed by WELLTEND TECHNOLOGY has a Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload in public-facing web application (BPMFlowWebkit) enables exploitation of public-facing application (T1190) and facilitates deployment/execution of web shells (T1505.003) for RCE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validation of all information inputs, directly preventing arbitrary file uploads that enable web shell deployment in BPMFlowWebkit.
SI-2 mandates timely flaw remediation, addressing the specific arbitrary file upload vulnerability in BPMFlowWebkit via patching.
SI-3 deploys malicious code protection at entry points to detect and eradicate web shells uploaded through the vulnerability.