Cyber Posture

CVE-2025-67325

CriticalPublic PoC

Published: 08 January 2026

Published
08 January 2026
Modified
30 January 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0031 53.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-67325 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Webkul Qloapps. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-9 (Information Input Restrictions).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly addresses unrestricted file uploads by requiring validation of file types, extensions, and content in the hotel review feature to block dangerous files leading to RCE.

SI-9 Information Input Restrictions good match
prevent

Enforces restrictions on file upload inputs such as whitelisting safe types and limiting sizes to prevent unauthenticated attackers from uploading executable files via hotel reviews.

SI-3 Malicious Code Protection partial match
preventdetect

Deploys malicious code protection at system entry points to scan and block uploaded files containing dangerous code that could achieve RCE on the server.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability is an unrestricted file upload in a public-facing web application (hotel review feature), enabling unauthenticated remote code execution, which directly maps to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Unrestricted file upload in the hotel review feature in QloApps versions 1.7.0 and earlier allows remote unauthenticated attackers to achieve remote code execution.

Deeper analysisAI

CVE-2025-67325 is an unrestricted file upload vulnerability in the hotel review feature of QloApps versions 1.7.0 and earlier. Classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), it allows remote unauthenticated attackers to achieve remote code execution. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its high impact on confidentiality, integrity, and availability.

Remote unauthenticated attackers can exploit this vulnerability over the network with low attack complexity, requiring no privileges, user interaction, or scope changes. By uploading malicious files through the hotel review functionality, attackers can execute arbitrary code on the server, potentially leading to full system compromise.

Mitigation details and further technical information are available in advisories referenced at https://github.com/Qloapps/QloApps and https://github.com/mr7s3d0/CVE-2025-67325.

Details

CWE(s)
CWE-434

Affected Products

webkul
qloapps
≤ 1.7.0

CVEs Like This One

CVE-2026-38530Same vendor: Webkul
CVE-2026-21448Same vendor: Webkul
CVE-2026-21446Same vendor: Webkul
CVE-2026-21447Same vendor: Webkul
CVE-2025-54440Shared CWE-434
CVE-2024-56828Shared CWE-434
CVE-2026-21451Same vendor: Webkul
CVE-2025-34299Shared CWE-434
CVE-2022-50936Shared CWE-434
CVE-2025-12673Shared CWE-434

References