Cyber Posture

CVE-2025-25361

CriticalPublic PoC

Published: 06 March 2025

Published
06 March 2025
Modified
01 July 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0012 30.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25361 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Publiccms Publiccms. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates arbitrary file upload vulnerability by validating content and types of SVG or XML files uploaded to CmsWebFileAdminController to prevent code execution.

SI-9 Information Input Restrictions good match
prevent

Restricts file uploads to safe types and sources in the vulnerable controller, blocking crafted dangerous SVG or XML files.

AC-3 Access Enforcement good match
prevent

Enforces authentication and authorization requirements for access to the unauthenticated CmsWebFileAdminController upload endpoint.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
Why these techniques?

Arbitrary file upload vulnerability in PublicCMS allows remote attackers to upload crafted SVG or XML files for arbitrary code execution on a public-facing web application (T1190), facilitating web shell deployment (T1505.003).

NVD Description

An arbitrary file upload vulnerability in the component /cms/CmsWebFileAdminController.java of PublicCMS v4.0.202406 allows attackers to execute arbitrary code via uploading a crafted svg or xml file.

Deeper analysisAI

CVE-2025-25361 is an arbitrary file upload vulnerability in the /cms/CmsWebFileAdminController.java component of PublicCMS v4.0.202406. The flaw allows attackers to execute arbitrary code by uploading a crafted SVG or XML file, as documented under CWE-434 (Unrestricted Upload of File with Dangerous Type). It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation enables arbitrary code execution on the targeted system, resulting in high impacts to confidentiality, integrity, and availability.

References include proof-of-concept details hosted on GitHub at https://github.com/c0rdXy/POC/blob/master/CVE/PublicCMS/XSS_02/XSS_02.md, though no specific mitigation steps or patches are outlined in the provided information.

Details

CWE(s)
CWE-434

Affected Products

publiccms
publiccms
4.0.202406.f

CVEs Like This One

CVE-2026-3289Same product: Publiccms Publiccms
CVE-2026-1112Same product: Publiccms Publiccms
CVE-2025-57516Same product: Publiccms Publiccms
CVE-2025-69437Same product: Publiccms Publiccms
CVE-2026-1111Same product: Publiccms Publiccms
CVE-2020-36942Shared CWE-434
CVE-2024-57169Shared CWE-434
CVE-2023-53933Shared CWE-434
CVE-2025-68909Shared CWE-434
CVE-2021-47757Shared CWE-434

References