CVE-2025-7627
Published: 14 July 2025
Summary
CVE-2025-7627 is a medium-severity Improper Access Control (CWE-284) vulnerability in Yijiusmile Kkfileviewofficeedit. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Ingress Tool Transfer (T1105); ranked in the top 42.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
This control enforces ownership-based restrictions on portable storage device use, directly implementing access control over media insertion into organizational systems.
Hardware write-protect enforces access control on critical resources (e.g., firmware) independent of software state.
The access control policy and procedures directly mandate and enforce proper access control mechanisms across the organization.
Device lock enforces restricted access until re-authentication, directly reducing unauthorized use of active sessions.
Supervision and review of access control activities directly detects and remediates improper access configurations or usages.
Explicitly identifying and documenting actions permitted without identification or authentication enforces proper access control boundaries by defining justified exceptions.
By automatically labeling outputs with security attributes, the control supports attribute-based enforcement and reduces exploitability of improper access control weaknesses.
Associating and retaining security attributes with data directly supports enforcement of access control decisions across storage, processing, and transmission.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload at /fileUpload directly enables arbitrary file ingress (T1105) for further compromise; web shell or initial access mappings are plausible but not explicitly indicated.
NVD Description
A vulnerability was found in YiJiuSmile kkFileViewOfficeEdit up to 5fbc57c48e8fe6c1b91e0e7995e2d59615f37abd and classified as critical. Affected by this issue is the function fileUpload of the file /fileUpload. The manipulation of the argument File leads to unrestricted upload. The attack may be…
more
launched remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available.
Deeper analysisAI
CVE-2025-7627 is a critical vulnerability in the YiJiuSmile kkFileViewOfficeEdit project, affecting versions up to commit 5fbc57c48e8fe6c1b91e0e7995e2d59615f37abd. The flaw exists in the fileUpload function exposed at the /fileUpload endpoint, where manipulation of the File argument enables unrestricted file upload. It is associated with CWEs-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type), and carries a CVSS v3.1 base score of 6.3.
The vulnerability is exploitable remotely over the network with low attack complexity and no user interaction required, but demands low privileges (PR:L) from the attacker. A successful exploit allows limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L) within the unchanged scope, enabling an authenticated user to upload arbitrary files that could facilitate further compromise depending on server configuration and file handling.
Advisories on VulDB (ctiid.316328, id.316328) and the project's GitHub issue #14 document the issue, noting that the exploit has been publicly disclosed and may be actively used. As kkFileViewOfficeEdit employs a rolling release model for continuous delivery, no specific affected or patched versions are defined; practitioners should review the GitHub repository for commits addressing the vulnerability and implement input validation or access controls on the /fileUpload endpoint as mitigations.
Details
- CWE(s)