CVE-2025-7063

Critical

Published: 30 September 2025

Published

30 September 2025

Modified

26 November 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0087 75.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7063 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Widzialni Pad Cms. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates unrestricted file uploads by requiring validation of file types, extensions, and content to block dangerous uploads leading to RCE.

SI-9 Information Input Restrictions good match

prevent

Restricts classes of allowable input data, such as whitelisting safe file types and extensions, preventing uploads of arbitrary executable files.

AC-3 Access Enforcement good match

prevent

Enforces server-side access authorizations for file upload resources, countering client-controlled permission check bypasses by unauthenticated attackers.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1105 Ingress Tool Transfer Command And Control

Adversaries may transfer tools or other files from an external system into a compromised environment.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Unrestricted file upload in public-facing web app (CWE-434) directly enables unauthenticated RCE via malicious file transfer and web shell execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Due to client-controlled permission check parameter, PAD CMS's file upload functionality allows an unauthenticated remote attacker to upload files of any type and extension without restriction, which can then be executed leading to Remote Code Execution. This issue affects all…

3 templates: www, bip and ww+bip. This product is End-Of-Life and producent will not publish patches for this vulnerability.

Deeper analysisAI

CVE-2025-7063 is a critical vulnerability in the file upload functionality of PAD CMS, stemming from a client-controlled permission check parameter. This flaw enables an unauthenticated remote attacker to upload files of any type and extension without restriction, allowing subsequent execution and leading to remote code execution (RCE). The issue affects all three templates of PAD CMS: www, bip, and ww+bip. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).

An unauthenticated attacker with network access can exploit this vulnerability by sending a specially crafted file upload request, bypassing all restrictions on file types and permissions. Successful exploitation grants the attacker the ability to execute arbitrary code on the server, potentially compromising the entire system through full control over confidentiality, integrity, and availability.

The product is end-of-life, and the producer will not publish patches for this vulnerability. For mitigation details, refer to the advisory at https://cert.pl/posts/2025/09/CVE-2025-7063.