Cyber Resilience

CVE-2025-2396

High

Published: 17 March 2025

Published
17 March 2025
Modified
18 November 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0199 84.0th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2396 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Edetw U-Office Force. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The U-Office Force application from e-Excellence contains an arbitrary file upload vulnerability tracked as CVE-2025-2396 and CWE-434. The flaw permits unauthenticated or low-privileged remote attackers to upload executable files such as web shells directly to the server, resulting in arbitrary code execution. It carries a CVSS 3.1 base score of 8.8 with an attack vector of network, low complexity, and low privileges required.

An attacker who already possesses regular user credentials can send a crafted upload request over the network to place and execute a web shell, thereby gaining full control of the underlying server including the ability to read, modify, or delete data and potentially pivot further into the environment. No user interaction is needed on the part of the victim.

Taiwan's CERT has published advisories detailing the issue at the referenced URLs; these documents are the primary source for official mitigation steps such as applying vendor patches or configuration changes. The associated EPSS score rose from a low baseline to a peak of 0.0381, indicating that exploitation interest increased after public disclosure.

EU & UK References

Vulnerability details

The U-Office Force from e-Excellence has an Arbitrary File Upload vulnerability, allowing remote attackers with regular privileges to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

The arbitrary file upload vulnerability in a public-facing web application directly enables remote exploitation (T1190) to upload and execute web shell backdoors for arbitrary code execution (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3422Same product: Edetw U-Office Force
CVE-2025-2395Same product: Edetw U-Office Force
CVE-2025-12865Same product: Edetw U-Office Force
CVE-2025-12864Same product: Edetw U-Office Force
CVE-2025-46384Shared CWE-434
CVE-2025-13516Shared CWE-434
CVE-2024-13011Shared CWE-434
CVE-2025-8323Shared CWE-434
CVE-2025-21624Shared CWE-434
CVE-2026-35164Shared CWE-434

Affected Assets

edetw
u-office force
≤ 28.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2025-2396 by requiring timely remediation of the specific arbitrary file upload flaw through patching.

prevent

Prevents unrestricted upload of dangerous files like web shells by validating all information inputs at upload endpoints.

preventdetect

Detects and eradicates uploaded web shell backdoors as malicious code at network entry points before execution.

References