CVE-2025-63695

CriticalPublic PoC

Published: 18 November 2025

Published

18 November 2025

Modified

20 November 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0014 33.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-63695 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Dzzoffice Dzzoffice. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates unrestricted arbitrary file uploads by implementing validation checks on file type, content, and format in the vulnerable PHP controller.

AC-3 Access Enforcement good match

prevent

Enforces authentication and authorization for the file upload endpoint, blocking unauthenticated remote exploitation.

SI-3 Malicious Code Protection partial match

preventdetect

Scans and eradicates malicious code in uploaded files, such as webshells, at system entry points to limit damage from successful uploads.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Unauthenticated arbitrary file upload to web root in public-facing DzzOffice web application enables exploitation for initial access, allowing upload of malicious HTML/JS for persistent XSS.

NVD Description

DzzOffice v2.3.7 and before is vulnerable to Arbitrary File Upload in /dzz/system/ueditor/php/controller.php.

Deeper analysisAI

CVE-2025-63695 is an arbitrary file upload vulnerability in DzzOffice versions 2.3.7 and prior, affecting the component /dzz/system/ueditor/php/controller.php. Published on 2025-11-18, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical, and maps to CWE-434 (Unrestricted Upload of File with Dangerous Type).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation enables high-impact compromise of confidentiality, integrity, and availability, allowing attackers to upload arbitrary files, potentially leading to remote code execution or full server control.

References include GitHub repositories and issues such as https://github.com/Yohane-Mashiro/dzzoffice_upload (listed twice) and https://github.com/zyx0814/dzzoffice/issues/365, which document the vulnerability and likely include proof-of-concept demonstrations. No specific patch or mitigation details are detailed in the provided information.