Skip to main content
CVE Vulnerability Database

CVE-2025-2705: Digiwin ERP 5.1 RCE Vulnerability

CVE-2025-2705 is a critical remote code execution flaw in Digiwin ERP 5.1 caused by unrestricted file upload. Attackers can exploit this remotely to execute malicious code. This article covers technical details and mitigation.

Published:

CVE-2025-2705 Overview

A critical unrestricted file upload vulnerability has been identified in Digiwin ERP 5.1. The vulnerability exists in the DoUpload and DoWebUpload functions within the /Api/FileUploadApi.ashx file. Remote attackers can exploit this flaw to upload arbitrary files to the server, potentially leading to remote code execution. The exploit has been publicly disclosed, and the vendor was contacted but did not respond.

Critical Impact

Remote attackers can upload malicious files without restrictions, potentially achieving remote code execution on affected Digiwin ERP 5.1 systems.

Affected Products

  • Digiwin ERP 5.1

Discovery Timeline

  • 2025-03-24 - CVE-2025-2705 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-2705

Vulnerability Analysis

This vulnerability falls under CWE-284 (Improper Access Control), where the file upload functionality fails to properly validate or restrict the types of files that can be uploaded. The DoUpload and DoWebUpload functions in the FileUploadApi.ashx handler do not implement adequate file type restrictions, allowing attackers to upload malicious executables, web shells, or other dangerous file types directly to the server.

The network-accessible nature of this vulnerability means that any attacker with network access to the affected ERP system can exploit this flaw without requiring prior authentication. Once a malicious file is uploaded, the attacker may execute arbitrary code on the server, potentially compromising the entire ERP infrastructure and sensitive business data.

Root Cause

The root cause of this vulnerability is inadequate input validation in the file upload handling mechanism. The DoUpload and DoWebUpload functions within /Api/FileUploadApi.ashx fail to properly sanitize or restrict the File argument, allowing arbitrary file types to be uploaded without validation. This lack of file type verification enables attackers to bypass intended security controls and upload executable content directly to the server.

Attack Vector

The attack can be executed remotely over the network without requiring user interaction. An attacker would craft a malicious HTTP request to the /Api/FileUploadApi.ashx endpoint, utilizing the DoUpload or DoWebUpload function with a manipulated File parameter. By uploading a web shell or other malicious executable to the server, the attacker can achieve remote code execution. The exploit has been publicly disclosed, increasing the likelihood of active exploitation attempts.

The vulnerability manifests in the file upload handling mechanism where proper file type validation is missing. For technical details and proof-of-concept information, see the GitHub RCE Report 3 and GitHub RCE Report 4.

Detection Methods for CVE-2025-2705

Indicators of Compromise

  • Suspicious HTTP POST requests to /Api/FileUploadApi.ashx containing executable file types (.aspx, .asp, .exe, .php)
  • Unexpected files appearing in upload directories, particularly web shells or executable scripts
  • Unusual outbound network connections from the ERP server indicating potential reverse shell activity
  • Log entries showing repeated file upload attempts from external IP addresses

Detection Strategies

  • Monitor web server logs for requests to /Api/FileUploadApi.ashx with suspicious file extensions in the request body
  • Implement file integrity monitoring on web-accessible directories to detect unauthorized file creation
  • Deploy network-based intrusion detection rules to identify file upload exploit attempts targeting the Digiwin ERP endpoint
  • Review web application firewall logs for blocked upload attempts containing malicious payloads

Monitoring Recommendations

  • Enable detailed logging for all file upload operations on the Digiwin ERP server
  • Configure alerts for any new executable files created in web-accessible directories
  • Monitor process execution on the ERP server for suspicious child processes spawned by the web server
  • Implement regular security scanning of uploaded files and web directories

How to Mitigate CVE-2025-2705

Immediate Actions Required

  • Restrict network access to the /Api/FileUploadApi.ashx endpoint using firewall rules or web server configurations
  • Implement a web application firewall (WAF) rule to block suspicious file upload attempts
  • Audit existing uploaded files for potential web shells or malicious content
  • Consider temporarily disabling the file upload functionality until a patch is available

Patch Information

No official patch has been released by the vendor at this time. The vendor was contacted regarding this disclosure but did not respond. Organizations should monitor VulDB #300726 for updates on vendor response and potential patches.

Workarounds

  • Implement strict file type whitelisting at the web server level to only allow safe file extensions
  • Store uploaded files outside of web-accessible directories to prevent direct execution
  • Configure the web server to disable execution permissions on upload directories
  • Use network segmentation to limit access to the ERP system from untrusted networks
bash
# Example: Restrict access to FileUploadApi.ashx via IIS URL Rewrite
# Add to web.config in the application root
# <system.webServer>
#   <security>
#     <requestFiltering>
#       <filteringRules>
#         <filteringRule name="BlockFileUploadApi" scanUrl="true">
#           <appliesTo>
#             <add fileExtension=".ashx" />
#           </appliesTo>
#           <denyStrings>
#             <add string="FileUploadApi" />
#           </denyStrings>
#         </filteringRule>
#       </filteringRules>
#     </requestFiltering>
#   </security>
# </system.webServer>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.