Cyber Resilience

CVE-2025-34506

HighPublic PoC

Published: 11 December 2025

Published
11 December 2025
Modified
15 December 2025
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0095 76.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-34506 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wbce Wbce Cms. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-34506 is an authenticated remote code execution vulnerability in WBCE CMS version 1.6.3 and prior, published on 2025-12-11. The issue, tied to CWE-434 (Unrestricted Upload of File with Dangerous Type), carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). It enables administrators to upload malicious ZIP modules containing embedded PHP reverse shell code, which executes upon installation and grants remote system access.

Attackers require low-privilege authenticated access, specifically administrator credentials, to exploit the vulnerability over the network with no user interaction. By crafting a specially designed ZIP module and uploading it via the CMS module installation feature, the attacker achieves remote code execution. This results in high-impact compromise of confidentiality, integrity, and availability on the affected system.

Advisories and related resources, including the VulnCheck advisory at https://www.vulncheck.com/advisories/wbce-cms-authenticated-remote-code-execution-via-module-upload, Exploit-DB entry at https://www.exploit-db.com/exploits/52132, and proof-of-concept at https://github.com/Swammers8/WBCE-v1.6.3-Authenticated-RCE, document the issue but do not specify patches in the available details. The official WBCE CMS site at https://wbce-cms.org/ and GitHub repository at https://github.com/WBCE/WBCE_CMS should be consulted for any updates or mitigation guidance.

EU & UK References

Vulnerability details

WBCE CMS version 1.6.3 and prior contains an authenticated remote code execution vulnerability that allows administrators to upload malicious modules. Attackers can craft a specially designed ZIP module with embedded PHP reverse shell code to gain remote system access when…

more

the module is installed.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

The vulnerability enables authenticated RCE via upload and auto-execution of malicious ZIP modules containing PHP code (T1190: Exploit Public-Facing Application) and facilitates deployment of web shells through install.php payloads that execute arbitrary commands (T1505.003: Web Shell).

CVEs Like This One

CVE-2024-58283Same product: Wbce Wbce Cms
CVE-2022-50936Same product: Wbce Wbce Cms
CVE-2025-66204Same product: Wbce Wbce Cms
CVE-2025-46384Shared CWE-434
CVE-2025-13516Shared CWE-434
CVE-2024-13011Shared CWE-434
CVE-2025-8323Shared CWE-434
CVE-2025-21624Shared CWE-434
CVE-2026-35164Shared CWE-434
CVE-2026-2097Shared CWE-434

Affected Assets

wbce
wbce cms
≤ 1.6.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates contents of uploaded ZIP modules to block those embedding malicious PHP reverse shell code, directly mitigating the unrestricted file upload vulnerability.

preventdetect

Scans uploaded and installed modules for malicious code like PHP reverse shells, preventing or detecting execution upon installation.

prevent

Prohibits or approves administrator installation of unvetted CMS modules, restricting the upload and deployment of malicious ZIP files.

References