CVE-2025-2396

High

Published: 17 March 2025

Published

17 March 2025

Modified

18 November 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0199 83.8th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2396 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Edetw U-Office Force. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates CVE-2025-2396 by requiring timely remediation of the specific arbitrary file upload flaw through patching.

SI-10 Information Input Validation good match

prevent

Prevents unrestricted upload of dangerous files like web shells by validating all information inputs at upload endpoints.

SI-3 Malicious Code Protection good match

preventdetect

Detects and eradicates uploaded web shell backdoors as malicious code at network entry points before execution.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

The arbitrary file upload vulnerability in a public-facing web application directly enables remote exploitation (T1190) to upload and execute web shell backdoors for arbitrary code execution (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

The U-Office Force from e-Excellence has an Arbitrary File Upload vulnerability, allowing remote attackers with regular privileges to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.

Deeper analysisAI

CVE-2025-2396 is an Arbitrary File Upload vulnerability in U-Office Force from e-Excellence, published on 2025-03-17T06:15:26.113. Associated with CWE-434 (Unrestricted Upload of File with Dangerous Type), it carries a CVSS v3.1 base score of 8.8 (High: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The flaw enables remote attackers with regular privileges to upload and execute web shell backdoors, resulting in arbitrary code execution on the server.

Remote attackers possessing low privileges (PR:L) can exploit the vulnerability over the network (AV:N) with low attack complexity (AC:L) and without requiring user interaction (UI:N). Successful exploitation allows attackers to achieve high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) by executing arbitrary code, potentially leading to full server compromise within an unchanged security scope (S:U).

Advisories from TWCERT/CC provide further details on the vulnerability, available at https://www.twcert.org.tw/en/cp-139-10014-69aa5-2.html and https://www.twcert.org.tw/tw/cp-132-10013-0d371-1.html.