CVE-2025-22389

High

Published: 04 January 2025

Published

04 January 2025

Modified

20 May 2025

KEV Added

—

Patch

—

CVSS Score 8.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0042 62.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22389 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Optimizely Optimizely Cms. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked in the top 37.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-9 (Information Input Restrictions).

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious File (T1204.002). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validating uploaded files to ensure they conform to expected formats and reject dangerous types like .docm and .html.

SI-9 Information Input Restrictions good match

prevent

Restricts the types of files that can be uploaded to the CMS, preventing acceptance of unrestricted dangerous file extensions.

SI-3 Malicious Code Protection partial match

preventdetect

Deploys malicious code protection at upload entry points to scan and eradicate threats in potentially malicious uploaded files.

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

Unrestricted file upload (CWE-434) directly allows placement of malicious files (.docm, .html) on the server; victim access triggers execution (UI:R), mapping to malicious file user execution.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

An issue was discovered in Optimizely EPiServer.CMS.Core before 12.32.0. A medium-severity vulnerability exists in the CMS, where the application does not properly validate uploaded files. This allows the upload of potentially malicious file types, including .docm .html. When accessed by…

application users, these files can be used to execute malicious actions or compromise users' systems.

Deeper analysisAI

CVE-2025-22389 is a file upload validation vulnerability in Optimizely EPiServer.CMS.Core versions prior to 12.32.0. The CMS fails to properly validate uploaded files, permitting the upload of potentially malicious file types such as .docm and .html. This issue, linked to CWE-434 (Unrestricted Upload of File with Dangerous Type), carries a CVSS v3.1 base score of 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) and was published on 2025-01-04.

The vulnerability can be exploited by an authenticated attacker with low privileges (PR:L) who has access to upload functionality. Exploitation occurs over the network (AV:N) with low complexity (AC:L) but requires user interaction (UI:R) from a victim accessing the uploaded file. This enables execution of malicious actions, potentially compromising the victim's system with high impacts on confidentiality, integrity, and availability.

Mitigation guidance and patch details are provided in the official Optimizely Content Management System (CMS) Security Advisory CMS-2025-03, available at https://support.optimizely.com/hc/en-us/articles/33182404079629-Content-Management-System-CMS-Security-Advisory-CMS-2025-03.