CVE-2025-56704

HighPublic PoC

Published: 09 December 2025

Published

09 December 2025

Modified

11 December 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 17.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-56704 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Lepton-Cms Leptoncms. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 directly mandates validation of uploaded files to block dangerous types like PHP-in-ZIP, addressing the core lack of proper file validation in this CVE.

SI-9 Information Input Restrictions good match

prevent

SI-9 enforces restrictions on file types, extensions, and sizes at upload boundaries to prevent unrestricted dangerous file uploads.

SI-3 Malicious Code Protection good match

preventdetect

SI-3 requires scanning uploads for malicious code, preventing or detecting PHP shells and other exploits from arbitrary file uploads.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Arbitrary file upload vulnerability allows authenticated attackers to upload malicious PHP files for remote code execution, mapping to exploitation of public-facing applications (T1190) and web shell deployment (T1100, T1505.003).

NVD Description

LeptonCMS version 7.3.0 contains an arbitrary file upload vulnerability, which is caused by the lack of proper validation for uploaded files. An authenticated attacker can exploit this vulnerability by uploading a specially crafted ZIP/PHP file to execute arbitrary code.

Deeper analysisAI

CVE-2025-56704, published on 2025-12-09, is an arbitrary file upload vulnerability in LeptonCMS version 7.3.0. The flaw stems from a lack of proper validation for uploaded files, earning a CVSS 3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and mapping to CWE-434 (Unrestricted Upload of File with Dangerous Type).

An authenticated attacker with low privileges can exploit the vulnerability remotely over the network with low complexity and no user interaction required. By uploading a specially crafted ZIP/PHP file, the attacker achieves arbitrary code execution, resulting in high impacts to confidentiality, integrity, and availability.

Advisories and additional details on the vulnerability, including potential mitigations, are documented in the vendor notice at http://lepton.com and technical reports available at https://github.com/Kayi626/Vulns/blob/UserAccount/LEPTON_CMS_7.3.0_File_Upload_A.pdf, https://github.com/Kayi626/Vulns/blob/UserAccount/LEPTON_CMS_7.3.0_File_Upload_B.pdf, and https://github.com/Kayi626/Vulns/blob/UserAccount/LEPTON_CMS_7.3.0_File_Upload_C.pdf.