CVE-2025-2705
Published: 24 March 2025
Summary
CVE-2025-2705 is a medium-severity Improper Access Control (CWE-284) vulnerability. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-2705 is a critical vulnerability in Digiwin ERP 5.1, affecting the DoUpload and DoWebUpload functions within the /Api/FileUploadApi.ashx component. The issue arises from manipulation of the File argument, enabling unrestricted file upload. Published on 2025-03-24, it is associated with CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type), with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Remote attackers require no privileges or user interaction to exploit this vulnerability, allowing them to upload arbitrary files over the network with low attack complexity. Exploitation can result in low impacts to confidentiality, integrity, and availability, potentially enabling further compromise depending on the uploaded file type.
Advisories from VulDB and related GitHub reports indicate that the vendor was contacted early regarding disclosure but provided no response. No patches or official mitigations are referenced, and full exploit details have been publicly disclosed, making active use possible.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7993
Vulnerability details
A vulnerability classified as critical has been found in Digiwin ERP 5.1. Affected is the function DoUpload/DoWebUpload of the file /Api/FileUploadApi.ashx. The manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. The…
more
exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload in public-facing web component directly enables T1190 for initial access; facilitates T1505.003 via arbitrary malicious file (e.g., web shell) upload.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates unrestricted file upload by requiring validation of the File argument to block dangerous file types in the /Api/FileUploadApi.ashx endpoint.
Enforces approved access controls to prevent unauthorized manipulation of the File argument and unrestricted uploads via the vulnerable DoUpload/DoWebUpload functions.
Requires timely identification, reporting, and remediation of the critical unrestricted file upload flaw in Digiwin ERP 5.1.