CVE-2025-2952
Published: 30 March 2025
Summary
CVE-2025-2952 is a medium-severity Improper Access Control (CWE-284) vulnerability in Bluestar Micro Mall. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-2952 is a critical vulnerability in Bluestar Micro Mall 1.0 that enables unrestricted file upload. The issue affects an unknown functionality within the file /api/api.php?mod=upload&type=1, where manipulation of the "File" argument allows attackers to upload files without restrictions. Classified under CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type), it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-03-30.
The vulnerability can be exploited remotely by an attacker with low privileges (PR:L) over the network with low complexity and no user interaction required. Successful exploitation grants limited impacts on confidentiality, integrity, and availability, potentially allowing upload of malicious files that could lead to further compromise depending on server configuration. The exploit has been publicly disclosed and may be actively used.
Advisories and additional details are available from VulDB (https://vuldb.com/?ctiid.302005 and https://vuldb.com/?id.302005) and a Jianshu article (https://www.jianshu.com/p/22d3ae38e628?v=1742101731758). Practitioners should consult these sources for mitigation guidance, as no specific patches are detailed in the core CVE information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8680
Vulnerability details
A vulnerability classified as critical was found in Bluestar Micro Mall 1.0. Affected by this vulnerability is an unknown functionality of the file /api/api.php?mod=upload&type=1. The manipulation of the argument File leads to unrestricted upload. The attack can be launched remotely.…
more
The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload in public-facing web app enables T1190 exploitation and T1100 web shell deployment for code execution/persistence.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly validates the File argument in the upload API to prevent unrestricted upload of dangerous file types.
Restricts file types, sizes, and other characteristics accepted by the /api/api.php upload endpoint to block malicious uploads.
Enforces access control policies on the upload functionality to mitigate improper access control allowing low-privileged exploitation.