Cyber Posture

CVE-2026-3025

High

Published: 23 February 2026

Published
23 February 2026
Modified
03 March 2026
KEV Added
Patch
CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0005 16.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3025 is a high-severity Improper Access Control (CWE-284) vulnerability in Shuoren Smart Heating Integrated Management Platform. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques.
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

MP-7 Media Use
addresses: CWE-284 CWE-434

This control enforces ownership-based restrictions on portable storage device use, directly implementing access control over media insertion into organizational systems.

SC-51 Hardware-based Protection
addresses: CWE-284 CWE-434

Hardware write-protect enforces access control on critical resources (e.g., firmware) independent of software state.

AC-1 Policy and Procedures
addresses: CWE-284

The access control policy and procedures directly mandate and enforce proper access control mechanisms across the organization.

AC-11 Device Lock
addresses: CWE-284

Device lock enforces restricted access until re-authentication, directly reducing unauthorized use of active sessions.

AC-13 Supervision and Review — Access Control
addresses: CWE-284

Supervision and review of access control activities directly detects and remediates improper access configurations or usages.

AC-14 Permitted Actions Without Identification or Authentication
addresses: CWE-284

Explicitly identifying and documenting actions permitted without identification or authentication enforces proper access control boundaries by defining justified exceptions.

AC-15 Automated Marking
addresses: CWE-284

By automatically labeling outputs with security attributes, the control supports attribute-based enforcement and reduces exploitability of improper access control weaknesses.

AC-16 Security and Privacy Attributes
addresses: CWE-284

Associating and retaining security attributes with data directly supports enforcement of access control decisions across storage, processing, and transmission.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
attack.mitre.org →
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
Why these techniques?

Unrestricted file upload on public-facing .asmx endpoint enables initial access via T1190, direct tool/file ingress via T1105, and web shell deployment for execution/persistence via T1505.003.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A flaw has been found in ShuoRen Smart Heating Integrated Management Platform 1.0.0. Affected by this vulnerability is an unknown functionality of the file /MP/Service/Webservice/ExampleNodeService.asmx. Executing a manipulation of the argument File can lead to unrestricted upload. It is possible…

more

to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Deeper analysisAI

CVE-2026-3025 is an unrestricted file upload vulnerability in the ShuoRen Smart Heating Integrated Management Platform version 1.0.0. The flaw affects an unknown functionality within the /MP/Service/Webservice/ExampleNodeService.asmx file, where manipulation of the "File" argument enables attackers to upload arbitrary files without restrictions. This issue is classified under CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type), with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling attackers to upload malicious files that could lead to further compromise depending on server configuration and file execution capabilities.

VulDB advisories, referenced at https://vuldb.com/?ctiid.347381, https://vuldb.com/?id.347381, and https://vuldb.com/?submit.756376, detail the vulnerability but note no vendor response or patches were issued despite early disclosure contact. Practitioners should restrict network access to the affected endpoint, implement web application firewalls to block anomalous file uploads, and monitor for exploit attempts until a fix is available.

An exploit for this vulnerability has been publicly published and may be actively used, increasing the risk for exposed instances of the platform.

Details

CWE(s)
CWE-284CWE-434

Affected Products

shuoren
smart heating integrated management platform
1.0.0

CVEs Like This One

CVE-2025-1166Shared CWE-284, CWE-434
CVE-2026-4221Shared CWE-284, CWE-434
CVE-2025-1555Shared CWE-284, CWE-434
CVE-2025-1818Shared CWE-284, CWE-434
CVE-2026-2977Shared CWE-284, CWE-434
CVE-2025-0722Shared CWE-284, CWE-434
CVE-2025-2350Shared CWE-284, CWE-434
CVE-2026-1424Shared CWE-284, CWE-434
CVE-2025-2115Shared CWE-284, CWE-434
CVE-2026-4201Shared CWE-284, CWE-434

References