CVE-2025-7065
Published: 30 September 2025
Summary
CVE-2025-7065 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Widzialni Pad Cms. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates inputs to the photo upload functionality to enforce restrictions on file types and extensions, directly preventing unauthenticated unrestricted uploads of executable files leading to RCE.
Enforces server-side access control decisions independent of client-controlled permission parameters, mitigating the bypass that allows unauthenticated file uploads.
Deploys malicious code protection at the upload entry point to scan and block dangerous executable files, preventing their execution for RCE even if uploaded.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload on public-facing web app directly enables T1190 exploitation for initial RCE; uploaded files are explicitly web shells (T1505.003) for arbitrary code execution.
NVD Description
Due to client-controlled permission check parameter, PAD CMS's photo upload functionality allows an unauthenticated remote attacker to upload files of any type and extension without restriction, which can then be executed leading to Remote Code Execution. This issue affects all…
more
3 templates: www, bip and ww+bip. This product is End-Of-Life and producent will not publish patches for this vulnerability.
Deeper analysisAI
CVE-2025-7065 is a critical vulnerability in the photo upload functionality of PAD CMS, stemming from a client-controlled permission check parameter that fails to restrict file types or extensions. This flaw enables unauthenticated remote attackers to upload arbitrary files, which can subsequently be executed to achieve remote code execution (RCE). The issue impacts all three templates of PAD CMS: www, bip, and ww+bip, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).
An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. By sending a specially crafted request to the photo upload endpoint, the attacker can upload malicious executable files, such as web shells, which can then be triggered to execute arbitrary code on the server, potentially leading to full system compromise, data theft, or further lateral movement.
The advisory from CERT.pl (https://cert.pl/posts/2025/09/CVE-2025-7063) confirms that PAD CMS is end-of-life, and the producer will not release patches for this vulnerability, leaving mitigation reliant on network segmentation, disabling the upload feature if possible, or immediate decommissioning of affected systems.
Details
- CWE(s)