CVE-2025-7627
Published: 14 July 2025
Summary
CVE-2025-7627 is a low-severity Improper Access Control (CWE-284) vulnerability in Yijiusmile Kkfileviewofficeedit. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Ingress Tool Transfer (T1105); ranked in the top 41.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-7627 is a critical vulnerability in the YiJiuSmile kkFileViewOfficeEdit project, affecting versions up to commit 5fbc57c48e8fe6c1b91e0e7995e2d59615f37abd. The flaw exists in the fileUpload function exposed at the /fileUpload endpoint, where manipulation of the File argument enables unrestricted file upload. It is associated with CWEs-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type), and carries a CVSS v3.1 base score of 6.3.
The vulnerability is exploitable remotely over the network with low attack complexity and no user interaction required, but demands low privileges (PR:L) from the attacker. A successful exploit allows limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L) within the unchanged scope, enabling an authenticated user to upload arbitrary files that could facilitate further compromise depending on server configuration and file handling.
Advisories on VulDB (ctiid.316328, id.316328) and the project's GitHub issue #14 document the issue, noting that the exploit has been publicly disclosed and may be actively used. As kkFileViewOfficeEdit employs a rolling release model for continuous delivery, no specific affected or patched versions are defined; practitioners should review the GitHub repository for commits addressing the vulnerability and implement input validation or access controls on the /fileUpload endpoint as mitigations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21382
Vulnerability details
A vulnerability was found in YiJiuSmile kkFileViewOfficeEdit up to 5fbc57c48e8fe6c1b91e0e7995e2d59615f37abd and classified as critical. Affected by this issue is the function fileUpload of the file /fileUpload. The manipulation of the argument File leads to unrestricted upload. The attack may be…
more
launched remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload at /fileUpload directly enables arbitrary file ingress (T1105) for further compromise; web shell or initial access mappings are plausible but not explicitly indicated.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of uploaded files at the /fileUpload endpoint to reject dangerous types and block the unrestricted upload flaw.
Enforces access control policy on the fileUpload function so only authorized actions and file types are permitted, preventing the CWE-284/CWE-434 bypass.
Limits upload privileges to the minimum required, reducing the attack surface for an authenticated user exploiting the remote file upload vector.