CRITICAL🇵🇱 Wersja polska

CVE-2025-8120

CVSS 10.0v4.0pub. 2025-09-30upd. 2025-11-26

Due to client-controlled permission check parameter, PAD CMS's upload photo functionality allows an unauthenticated remote attacker to upload files of any type and extension without restriction, which can then be executed leading to Remote Code Execution.This issue affects all 3 templates: www, bip and ww+bip. This product is End-Of-Life and producent will not publish patches for this vulnerability.

🤖 AI Analysis
How it works

The permission verification mechanism in the photo upload function relies on a client-controlled parameter, allowing arbitrary modification. An attacker without any authentication can send a crafted request with an executable file (e.g., webshell) and bypass all restrictions on allowed file types and extensions. After uploading, the malicious file can be invoked by the attacker, resulting in code execution on the server. The issue affects all three system templates: www, bip, and ww+bip.

Impact

An attacker gains the ability to execute arbitrary code on the server (RCE) without needing any permissions, which may lead to complete system takeover, data breach, and further lateral movement in the infrastructure.

Mitigation & patch

The vendor will not publish fixes for this vulnerability — the product has reached End-Of-Life status. Immediately withdraw PAD CMS from use or isolate it from the public network (e.g., disable external access, apply firewall rules blocking access to upload functions). Migration to an actively supported CMS solution is recommended. Additional references: https://cert.pl/posts/2025/09/CVE-2025-7063

Who is affected

All versions of Widzialni PAD CMS in all three templates: www, bip, and ww+bip. The product is marked as End-Of-Life.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Widzialni Pad Cms

    APP
    Widzialni
    ≤ 1.2.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2025-7063CRITICAL10.0PL ✓ten sam produkt

Unrestricted File Upload w PAD CMS umożliwiający RCE

CVE-2025-7065CRITICAL10.0PL ✓ten sam produkt

PAD CMS – nieograniczony upload plików prowadzący do RCE

CVE-2025-8122HIGH8.7ten sam produkt

Improper neutralization of input provided by an authorized user in article positioning functionality allows fo...

CVE-2025-8117HIGH8.7ten sam produkt

PAD CMS improperly initializes parameter used for password recovery, which allows to change password for any u...

CVE-2025-8121HIGH8.7ten sam produkt

Improper neutralization of input provided by an authorized user in article positioning functionality allows fo...