Cyber Resilience

CVE-2025-8120

Critical

Published: 30 September 2025

Published
30 September 2025
Modified
26 November 2025
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0046 64.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-8120 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Widzialni Pad Cms. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-8120 is a critical vulnerability in PAD CMS's upload photo functionality, stemming from a client-controlled permission check parameter that fails to enforce restrictions. This flaw enables an unauthenticated remote attacker to upload files of any type and extension without limitations, which can subsequently be executed to achieve remote code execution (RCE). The issue impacts all three templates of PAD CMS: www, bip, and ww+bip.

Any unauthenticated attacker with network access can exploit this vulnerability due to its low complexity and lack of prerequisites (CVSS v3.1 base score of 9.8: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation allows full compromise of the affected system, including high confidentiality, integrity, and availability impacts, as the uploaded malicious files can be executed directly on the server (CWE-434: Unrestricted Upload of File with Dangerous Type).

PAD CMS is end-of-life, and the producer will not release patches for this vulnerability. For additional details, refer to the advisory at https://cert.pl/posts/2025/09/CVE-2025-7063.

EU & UK References

Vulnerability details

Due to client-controlled permission check parameter, PAD CMS's upload photo functionality allows an unauthenticated remote attacker to upload files of any type and extension without restriction, which can then be executed leading to Remote Code Execution.This issue affects all 3…

more

templates: www, bip and ww+bip. This product is End-Of-Life and producent will not publish patches for this vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unrestricted file upload in public-facing CMS directly enables T1190 exploitation for initial access and T1505.003 web shell deployment for RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-7065Same product: Widzialni Pad Cms
CVE-2025-7063Same product: Widzialni Pad Cms
CVE-2025-46384Shared CWE-434
CVE-2025-13516Shared CWE-434
CVE-2024-13011Shared CWE-434
CVE-2025-8323Shared CWE-434
CVE-2025-21624Shared CWE-434
CVE-2026-35164Shared CWE-434
CVE-2026-2097Shared CWE-434
CVE-2025-12154Shared CWE-434

Affected Assets

widzialni
pad cms
≤ 1.2.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 enforces server-side access controls and permission checks independent of client-controlled parameters to prevent unauthorized file uploads.

prevent

SI-10 validates the format, type, and content of uploaded files to block unrestricted uploads of dangerous types leading to RCE.

prevent

SI-9 restricts the types and amount of information inputs, such as file uploads, to mitigate unrestricted file upload vulnerabilities.

References