Cyber Resilience

CVE-2025-25361

CriticalPublic PoC

Published: 06 March 2025

Published
06 March 2025
Modified
01 July 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0012 30.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25361 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Publiccms Publiccms. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-25361 is an arbitrary file upload vulnerability in the /cms/CmsWebFileAdminController.java component of PublicCMS v4.0.202406. The flaw allows attackers to execute arbitrary code by uploading a crafted SVG or XML file, as documented under CWE-434 (Unrestricted Upload of File with Dangerous Type). It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation enables arbitrary code execution on the targeted system, resulting in high impacts to confidentiality, integrity, and availability.

References include proof-of-concept details hosted on GitHub at https://github.com/c0rdXy/POC/blob/master/CVE/PublicCMS/XSS_02/XSS_02.md, though no specific mitigation steps or patches are outlined in the provided information.

EU & UK References

Vulnerability details

An arbitrary file upload vulnerability in the component /cms/CmsWebFileAdminController.java of PublicCMS v4.0.202406 allows attackers to execute arbitrary code via uploading a crafted svg or xml file.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Arbitrary file upload vulnerability in PublicCMS allows remote attackers to upload crafted SVG or XML files for arbitrary code execution on a public-facing web application (T1190), facilitating web shell deployment (T1505.003).

CVEs Like This One

CVE-2026-3289Same product: Publiccms Publiccms
CVE-2026-1112Same product: Publiccms Publiccms
CVE-2025-69437Same product: Publiccms Publiccms
CVE-2025-57516Same product: Publiccms Publiccms
CVE-2026-1111Same product: Publiccms Publiccms
CVE-2025-46384Shared CWE-434
CVE-2025-13516Shared CWE-434
CVE-2024-13011Shared CWE-434
CVE-2025-8323Shared CWE-434
CVE-2025-21624Shared CWE-434

Affected Assets

publiccms
publiccms
4.0.202406.f

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates arbitrary file upload vulnerability by validating content and types of SVG or XML files uploaded to CmsWebFileAdminController to prevent code execution.

prevent

Restricts file uploads to safe types and sources in the vulnerable controller, blocking crafted dangerous SVG or XML files.

prevent

Enforces authentication and authorization requirements for access to the unauthenticated CmsWebFileAdminController upload endpoint.

References