CVE-2025-3585: Westboy Cicadascms RCE Vulnerability

CVE-2025-3585 Overview

CVE-2025-3585 is an unrestricted file upload vulnerability in westboy CicadasCMS 1.0. The flaw resides in the JSP Parser component, which processes requests sent to the /upload/ endpoint. An authenticated attacker can manipulate the File parameter to upload arbitrary content to the server. The exploit details have been publicly disclosed, increasing the risk of opportunistic abuse against exposed instances.

The vulnerability is tracked under CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type). It can be triggered remotely over the network with low privileges and no user interaction.

Critical Impact
Remote attackers with low privileges can upload arbitrary files through the JSP Parser, potentially leading to code execution within the CicadasCMS application context.

Affected Products

westboy CicadasCMS 1.0
JSP Parser component handling /upload/ requests
Deployments exposing the CicadasCMS upload endpoint to untrusted networks

Discovery Timeline

2025-04-14 - CVE-2025-3585 published to NVD
2025-05-21 - Last updated in NVD database

Technical Details for CVE-2025-3585

Vulnerability Analysis

The vulnerability exists in the file upload handler exposed at /upload/ within the JSP Parser component of CicadasCMS 1.0. The handler accepts files supplied through the File argument without enforcing adequate restrictions on file type, extension, or content. Because CicadasCMS runs on a Java servlet container, uploaded .jsp payloads placed in a web-accessible directory can be executed by the server.

The issue maps to CWE-434 and CWE-284, reflecting both missing file type validation and broken access control around the upload endpoint. The current EPSS probability is 0.065%, indicating limited observed exploitation activity, although public disclosure raises the likelihood over time.

Root Cause

The root cause is the absence of server-side validation on uploaded files. The JSP Parser does not enforce an allowlist of safe MIME types or extensions, does not verify file content against expected formats, and does not isolate uploaded files from executable web paths. Combined with insufficient access controls on the upload endpoint, low-privileged users can push attacker-controlled content into the application directory.

Attack Vector

An attacker authenticates to the application with low privileges and submits a crafted multipart request to /upload/ containing a malicious file in the File parameter. If the uploaded file is stored under a path served by the JSP engine, requesting that path triggers execution of the attacker's code. The attack is performed remotely over HTTP and requires no user interaction. Refer to the public issue tracker and the VulDB entry #304641 for additional technical context.

Detection Methods for CVE-2025-3585

Indicators of Compromise

Presence of unexpected .jsp, .jspx, or .war files in upload directories controlled by CicadasCMS.
HTTP POST requests to /upload/ containing the File parameter with executable extensions or double extensions such as image.jpg.jsp.
New JSP files with recent modification timestamps located in web-accessible paths.
Outbound connections from the CicadasCMS host to unfamiliar IP addresses shortly after upload activity.

Detection Strategies

Inspect web server access logs for repeated POST requests to /upload/ followed by GET requests to newly created files.
Compare current contents of upload directories against a known-good baseline to identify unauthorized files.
Deploy web application firewall rules that flag uploads with server-executable extensions or mismatched MIME types.
Correlate authentication events with upload activity to identify low-privileged accounts performing unusual file operations.

Monitoring Recommendations

Enable file integrity monitoring on directories that store CicadasCMS uploads and on the application's web root.
Forward web server, application, and authentication logs to a centralized analytics platform for correlation.
Alert on JSP file creation events outside of scheduled deployment windows.
Track process creation by the servlet container user to detect post-exploitation command execution.

How to Mitigate CVE-2025-3585

Immediate Actions Required

Restrict network access to the CicadasCMS administrative and upload endpoints using firewall or reverse proxy rules.
Disable or remove the /upload/ route until a vendor fix is validated.
Audit existing upload directories for unauthorized JSP files and remove any unexpected artifacts.
Rotate credentials for accounts that have upload privileges and review recent authentication logs.

Patch Information

No vendor advisory or official patch has been published for CicadasCMS 1.0 at the time of NVD publication. Monitor the GitHub issue tracker and the VulDB record for updates. Organizations should consider migrating away from CicadasCMS 1.0 if no maintained release becomes available.

Workarounds

Configure the servlet container to prevent execution of JSP files within user-writable upload paths.
Enforce server-side validation that restricts uploads to a strict allowlist of safe MIME types and extensions.
Store uploaded files outside the web root and serve them through a controlled handler that sets safe content types.
Require strong authentication and apply least privilege to any account permitted to access /upload/.

bash

# Example nginx rule blocking execution of uploaded JSP content
location ^~ /upload/ {
    types { }
    default_type application/octet-stream;
    add_header Content-Disposition "attachment";
    location ~* \.(jsp|jspx|war)$ {
        return 403;
    }
}