CVE-2025-52353
Published: 26 August 2025
Summary
CVE-2025-52353 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Uatech Badaso. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of file uploads to ensure consistency and reject those with embedded PHP code bypassing content-type checks.
Enforces restrictions on file types permitted at upload endpoints, prohibiting dangerous extensions like .php.
Scans uploaded files for malicious code such as embedded PHP backdoors in PDFs before storage or execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE via unrestricted file upload to public-facing web app (T1190) resulting in web shell deployment/execution (T1100).
NVD Description
An arbitrary code execution vulnerability in Badaso CMS 2.9.11. The Media Manager allows authenticated users to upload files containing embedded PHP code via the file-upload endpoint, bypassing content-type validation. When such a file is accessed via its URL, the server…
more
executes the PHP payload, enabling an attacker to run arbitrary system commands and achieve full compromise of the underlying host. This has been demonstrated by embedding a backdoor within a PDF and renaming it with a .php extension.
Deeper analysisAI
CVE-2025-52353 is an arbitrary code execution vulnerability in Badaso CMS version 2.9.11, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-434 (Unrestricted Upload of File with Dangerous Type). The issue affects the Media Manager component, which permits authenticated users to upload files containing embedded PHP code via the file-upload endpoint while bypassing content-type validation. Accessing the uploaded file through its URL triggers execution of the PHP payload on the server.
An attacker with authenticated access to the Badaso CMS instance can exploit this by uploading a malicious file, such as a PDF embedding a backdoor and renamed with a .php extension. Once uploaded, accessing the file's URL causes the server to execute the embedded PHP code, allowing the attacker to run arbitrary system commands and achieve full compromise of the underlying host.
Mitigation details can be found in the referenced advisories, including the Badaso GitHub repository at https://github.com/uasoft-indonesia/badaso and a Medium disclosure post at https://medium.com/@pat.sanitjairak/remote-code-execution-in-a-plain-view-0f86f183543d. Security practitioners should monitor these sources for patches or workarounds.
Details
- CWE(s)