CVE-2025-8120

Critical

Published: 30 September 2025

Published

30 September 2025

Modified

26 November 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0042 62.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-8120 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Widzialni Pad Cms. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

AC-3 enforces server-side access controls and permission checks independent of client-controlled parameters to prevent unauthorized file uploads.

SI-10 Information Input Validation good match

prevent

SI-10 validates the format, type, and content of uploaded files to block unrestricted uploads of dangerous types leading to RCE.

SI-9 Information Input Restrictions good match

prevent

SI-9 restricts the types and amount of information inputs, such as file uploads, to mitigate unrestricted file upload vulnerabilities.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Unrestricted file upload in public-facing CMS directly enables T1190 exploitation for initial access and T1505.003 web shell deployment for RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Due to client-controlled permission check parameter, PAD CMS's upload photo functionality allows an unauthenticated remote attacker to upload files of any type and extension without restriction, which can then be executed leading to Remote Code Execution.This issue affects all 3…

templates: www, bip and ww+bip. This product is End-Of-Life and producent will not publish patches for this vulnerability.

Deeper analysisAI

CVE-2025-8120 is a critical vulnerability in PAD CMS's upload photo functionality, stemming from a client-controlled permission check parameter that fails to enforce restrictions. This flaw enables an unauthenticated remote attacker to upload files of any type and extension without limitations, which can subsequently be executed to achieve remote code execution (RCE). The issue impacts all three templates of PAD CMS: www, bip, and ww+bip.

Any unauthenticated attacker with network access can exploit this vulnerability due to its low complexity and lack of prerequisites (CVSS v3.1 base score of 9.8: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation allows full compromise of the affected system, including high confidentiality, integrity, and availability impacts, as the uploaded malicious files can be executed directly on the server (CWE-434: Unrestricted Upload of File with Dangerous Type).

PAD CMS is end-of-life, and the producer will not release patches for this vulnerability. For additional details, refer to the advisory at https://cert.pl/posts/2025/09/CVE-2025-7063.