CVE-2025-34163
Published: 27 August 2025
Summary
CVE-2025-34163 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Dongshengsoft (inferred from references). Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 20.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Dongsheng Logistics Software contains an unauthenticated file-upload endpoint at /CommMng/Print/UploadMailFile that performs no file-type validation or access-control checks. The flaw, tracked as CVE-2025-34163 and assigned CWE-434, permits arbitrary file uploads including executable scripts such as .ashx through crafted multipart/form-data POST requests. It affects builds released before July 2025; remediation is stated to be present in subsequent versions, although the precise affected range is not defined.
An unauthenticated remote attacker can exploit the endpoint to place malicious files on the server and achieve remote code execution, potentially resulting in full system compromise. The CVSS 4.0 score of 10.0 reflects the absence of any required authentication, user interaction, or attack complexity.
Public references indicate that exploitation activity was first recorded by the Shadowserver Foundation on 23 July 2025. The associated EPSS score has remained flat at 0.0123 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-26060
Vulnerability details
Dongsheng Logistics Software exposes an unauthenticated endpoint at /CommMng/Print/UploadMailFile that fails to enforce proper file type validation and access control. An attacker can upload arbitrary files, including executable scripts such as .ashx, via a crafted multipart/form-data POST request. This allows…
more
remote code execution on the server, potentially leading to full system compromise. The vulnerability is presumed to affect builds released prior to July 2025 and is remediated in newer versions of the product, though the exact affected range remains undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-07-23 UTC.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.
Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.
Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.
Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.