CVE-2025-59710

High

Published: 03 April 2026

Published

03 April 2026

Modified

09 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0017 38.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-59710 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Kovai Biztalk360. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations to prevent any user from requesting the loading of DLL files due to incorrect access control.

SI-9 Information Input Restrictions good match

prevent

Restricts file types that can be uploaded to the system, directly mitigating unrestricted upload of dangerous DLLs.

AC-6 Least Privilege good match

prevent

Ensures least privilege so unauthorized users lack permissions to upload or trigger loading of DLLs on the server.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability enables remote code execution through unrestricted upload and loading of malicious DLLs in the public-facing BizTalk360 application (AV:N/PR:N), directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

An issue was discovered in Biztalk360 before 11.5. Because of incorrect access control, any user is able to request the loading a DLL file. During the loading, a method is called. An attacker can craft a malicious DLL, upload it…

to the server, and use it to achieve remote code execution on the server.

Deeper analysisAI

CVE-2025-59710 is a high-severity vulnerability (CVSS 8.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) affecting BizTalk360 versions prior to 11.5, stemming from CWE-434 (Unrestricted Upload of File with Dangerous Type). The flaw arises from incorrect access control, enabling any user to request the loading of a DLL file on the server. During this process, a method within the DLL is invoked, allowing attackers to upload a specially crafted malicious DLL and achieve remote code execution.

An attacker requires only network access and no special privileges (PR:N), though some user interaction is needed (UI:R). From any domain account, the adversary can upload a malicious DLL to the BizTalk360 server and trigger its loading, resulting in arbitrary code execution with the privileges of the server process. This grants high-impact control over confidentiality, integrity, and availability (C:H/I:H/A:H) without changing scope.

The Synacktiv advisory at https://www.synacktiv.com/en/advisories/remote-code-execution-from-any-domain-account-in-biztalk360 provides detailed analysis of the remote code execution achievable from any domain account in BizTalk360. No specific patch details beyond upgrading to version 11.5 or later are outlined in available information.