Cyber Resilience

CVE-2025-63695

CriticalPublic PoC

Published: 18 November 2025

Published
18 November 2025
Modified
20 November 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0014 33.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-63695 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Dzzoffice Dzzoffice. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-63695 is an arbitrary file upload vulnerability in DzzOffice versions 2.3.7 and prior, affecting the component /dzz/system/ueditor/php/controller.php. Published on 2025-11-18, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical, and maps to CWE-434 (Unrestricted Upload of File with Dangerous Type).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation enables high-impact compromise of confidentiality, integrity, and availability, allowing attackers to upload arbitrary files, potentially leading to remote code execution or full server control.

References include GitHub repositories and issues such as https://github.com/Yohane-Mashiro/dzzoffice_upload (listed twice) and https://github.com/zyx0814/dzzoffice/issues/365, which document the vulnerability and likely include proof-of-concept demonstrations. No specific patch or mitigation details are detailed in the provided information.

EU & UK References

Vulnerability details

DzzOffice v2.3.7 and before is vulnerable to Arbitrary File Upload in /dzz/system/ueditor/php/controller.php.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated arbitrary file upload to web root in public-facing DzzOffice web application enables exploitation for initial access, allowing upload of malicious HTML/JS for persistent XSS.

CVEs Like This One

CVE-2024-56975Shared CWE-434
CVE-2019-25580Shared CWE-434
CVE-2026-27636Shared CWE-434
CVE-2026-4809Shared CWE-434
CVE-2020-37090Shared CWE-434
CVE-2026-24729Shared CWE-434
CVE-2026-28289Shared CWE-434
CVE-2026-1730Shared CWE-434
CVE-2023-50897Shared CWE-434
CVE-2025-70457Shared CWE-434

Affected Assets

dzzoffice
dzzoffice
≤ 2.3.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates unrestricted arbitrary file uploads by implementing validation checks on file type, content, and format in the vulnerable PHP controller.

prevent

Enforces authentication and authorization for the file upload endpoint, blocking unauthenticated remote exploitation.

preventdetect

Scans and eradicates malicious code in uploaded files, such as webshells, at system entry points to limit damage from successful uploads.

References