CVE-2025-2705 Overview
A critical unrestricted file upload vulnerability has been identified in Digiwin ERP 5.1. The vulnerability exists in the DoUpload and DoWebUpload functions within the /Api/FileUploadApi.ashx file. Remote attackers can exploit this flaw to upload arbitrary files to the server, potentially leading to remote code execution. The exploit has been publicly disclosed, and the vendor was contacted but did not respond.
Critical Impact
Remote attackers can upload malicious files without restrictions, potentially achieving remote code execution on affected Digiwin ERP 5.1 systems.
Affected Products
- Digiwin ERP 5.1
Discovery Timeline
- 2025-03-24 - CVE-2025-2705 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-2705
Vulnerability Analysis
This vulnerability falls under CWE-284 (Improper Access Control), where the file upload functionality fails to properly validate or restrict the types of files that can be uploaded. The DoUpload and DoWebUpload functions in the FileUploadApi.ashx handler do not implement adequate file type restrictions, allowing attackers to upload malicious executables, web shells, or other dangerous file types directly to the server.
The network-accessible nature of this vulnerability means that any attacker with network access to the affected ERP system can exploit this flaw without requiring prior authentication. Once a malicious file is uploaded, the attacker may execute arbitrary code on the server, potentially compromising the entire ERP infrastructure and sensitive business data.
Root Cause
The root cause of this vulnerability is inadequate input validation in the file upload handling mechanism. The DoUpload and DoWebUpload functions within /Api/FileUploadApi.ashx fail to properly sanitize or restrict the File argument, allowing arbitrary file types to be uploaded without validation. This lack of file type verification enables attackers to bypass intended security controls and upload executable content directly to the server.
Attack Vector
The attack can be executed remotely over the network without requiring user interaction. An attacker would craft a malicious HTTP request to the /Api/FileUploadApi.ashx endpoint, utilizing the DoUpload or DoWebUpload function with a manipulated File parameter. By uploading a web shell or other malicious executable to the server, the attacker can achieve remote code execution. The exploit has been publicly disclosed, increasing the likelihood of active exploitation attempts.
The vulnerability manifests in the file upload handling mechanism where proper file type validation is missing. For technical details and proof-of-concept information, see the GitHub RCE Report 3 and GitHub RCE Report 4.
Detection Methods for CVE-2025-2705
Indicators of Compromise
- Suspicious HTTP POST requests to /Api/FileUploadApi.ashx containing executable file types (.aspx, .asp, .exe, .php)
- Unexpected files appearing in upload directories, particularly web shells or executable scripts
- Unusual outbound network connections from the ERP server indicating potential reverse shell activity
- Log entries showing repeated file upload attempts from external IP addresses
Detection Strategies
- Monitor web server logs for requests to /Api/FileUploadApi.ashx with suspicious file extensions in the request body
- Implement file integrity monitoring on web-accessible directories to detect unauthorized file creation
- Deploy network-based intrusion detection rules to identify file upload exploit attempts targeting the Digiwin ERP endpoint
- Review web application firewall logs for blocked upload attempts containing malicious payloads
Monitoring Recommendations
- Enable detailed logging for all file upload operations on the Digiwin ERP server
- Configure alerts for any new executable files created in web-accessible directories
- Monitor process execution on the ERP server for suspicious child processes spawned by the web server
- Implement regular security scanning of uploaded files and web directories
How to Mitigate CVE-2025-2705
Immediate Actions Required
- Restrict network access to the /Api/FileUploadApi.ashx endpoint using firewall rules or web server configurations
- Implement a web application firewall (WAF) rule to block suspicious file upload attempts
- Audit existing uploaded files for potential web shells or malicious content
- Consider temporarily disabling the file upload functionality until a patch is available
Patch Information
No official patch has been released by the vendor at this time. The vendor was contacted regarding this disclosure but did not respond. Organizations should monitor VulDB #300726 for updates on vendor response and potential patches.
Workarounds
- Implement strict file type whitelisting at the web server level to only allow safe file extensions
- Store uploaded files outside of web-accessible directories to prevent direct execution
- Configure the web server to disable execution permissions on upload directories
- Use network segmentation to limit access to the ERP system from untrusted networks
# Example: Restrict access to FileUploadApi.ashx via IIS URL Rewrite
# Add to web.config in the application root
# <system.webServer>
# <security>
# <requestFiltering>
# <filteringRules>
# <filteringRule name="BlockFileUploadApi" scanUrl="true">
# <appliesTo>
# <add fileExtension=".ashx" />
# </appliesTo>
# <denyStrings>
# <add string="FileUploadApi" />
# </denyStrings>
# </filteringRule>
# </filteringRules>
# </requestFiltering>
# </security>
# </system.webServer>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
