Cyber Resilience

CVE-2025-52353

CriticalPublic PoCUpdated

Published: 26 August 2025

Published
26 August 2025
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0061 44.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-52353 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Uatech Badaso. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).

Deeper analysis

CVE-2025-52353 is an arbitrary code execution vulnerability in Badaso CMS version 2.9.11, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-434 (Unrestricted Upload of File with Dangerous Type). The issue affects the Media Manager component, which permits authenticated users to upload files containing embedded PHP code via the file-upload endpoint while bypassing content-type validation. Accessing the uploaded file through its URL triggers execution of the PHP payload on the server.

An attacker with authenticated access to the Badaso CMS instance can exploit this by uploading a malicious file, such as a PDF embedding a backdoor and renamed with a .php extension. Once uploaded, accessing the file's URL causes the server to execute the embedded PHP code, allowing the attacker to run arbitrary system commands and achieve full compromise of the underlying host.

Mitigation details can be found in the referenced advisories, including the Badaso GitHub repository at https://github.com/uasoft-indonesia/badaso and a Medium disclosure post at https://medium.com/@pat.sanitjairak/remote-code-execution-in-a-plain-view-0f86f183543d. Security practitioners should monitor these sources for patches or workarounds.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An arbitrary code execution vulnerability in Badaso CMS 2.9.11. The Media Manager allows authenticated users to upload files containing embedded PHP code via the file-upload endpoint, bypassing content-type validation. When such a file is accessed via its URL, the server…

more

executes the PHP payload, enabling an attacker to run arbitrary system commands and achieve full compromise of the underlying host. This has been demonstrated by embedding a backdoor within a PDF and renaming it with a .php extension.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Direct RCE via unrestricted file upload to public-facing web app (T1190) resulting in web shell deployment/execution (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-50002Shared CWE-434
CVE-2015-10135Shared CWE-434
CVE-2025-69312Shared CWE-434
CVE-2015-10144Shared CWE-434
CVE-2025-7852Shared CWE-434
CVE-2025-44658Shared CWE-434
CVE-2026-37748Shared CWE-434
CVE-2025-49387Shared CWE-434
CVE-2025-6058Shared CWE-434
CVE-2026-6518Shared CWE-434

Affected Assets

uatech
badaso
2.9.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of file uploads to ensure consistency and reject those with embedded PHP code bypassing content-type checks.

prevent

Enforces restrictions on file types permitted at upload endpoints, prohibiting dangerous extensions like .php.

preventdetect

Scans uploaded files for malicious code such as embedded PHP backdoors in PDFs before storage or execution.

References