Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-65806

CVE-2025-65806: E-point CMS File Upload RCE Vulnerability

CVE-2025-65806 is a remote code execution vulnerability in E-point CMS caused by improper handling of nested archive files. Attackers can upload malicious ZIP files to execute code. This article covers technical details, impact, and mitigations.

Published:

CVE-2025-65806 Overview

CVE-2025-65806 affects E-POINT CMS version eagle.gsam-1169.1 and stems from improper handling of nested archive files during upload processing. An authenticated attacker can upload a ZIP archive containing another ZIP that embeds an executable payload such as webshell.php. When the application recursively extracts the archives, the inner executable can land in a web-accessible directory. The flaw is classified under CWE-434: Unrestricted Upload of File with Dangerous Type.

Critical Impact

Successful exploitation can lead to remote code execution, data disclosure, account compromise, and lateral movement within the hosting environment, depending on the privileges of the web server process.

Affected Products

  • E-POINT CMS eagle.gsam-1169.1
  • Deployments exposing the file upload feature to authenticated users
  • Web servers hosting E-POINT CMS with writable extraction directories

Discovery Timeline

  • 2025-12-04 - CVE-2025-65806 published to the National Vulnerability Database (NVD)
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-65806

Vulnerability Analysis

The vulnerability resides in the archive extraction logic of the E-POINT CMS file upload feature. The application accepts ZIP archives without inspecting their nested contents. When an attacker submits a ZIP that contains a second ZIP archive, the extraction routine processes both layers without validating file types or destination paths. The inner archive carries a server-side script such as webshell.php, which is written to a directory reachable by the web server.

Once the script resides in a web-accessible path, the attacker requests it through HTTP and triggers code execution under the privileges of the web server process. This converts a file upload feature into an arbitrary code execution primitive. The flaw aligns with [CWE-434], which covers unrestricted upload of files with dangerous types.

Root Cause

The root cause is twofold. First, the application fails to validate the contents of nested archives, allowing executable scripts to bypass surface-level upload filters. Second, the extraction routine does not constrain output paths or enforce a non-executable destination, letting attacker-controlled files land where the web server can interpret them.

Attack Vector

Exploitation requires network access and authenticated, high-privileged access to the upload feature, as well as user interaction during the upload workflow. The attacker crafts a ZIP containing an inner ZIP with a webshell, submits it through the upload interface, and then requests the extracted shell over HTTP to obtain command execution.

No verified proof-of-concept code is published. Technical details are referenced in the GitHub advisory for CVE-2025-65806 and the E-POINT CMS product page.

Detection Methods for CVE-2025-65806

Indicators of Compromise

  • Unexpected .php, .jsp, or other script files appearing within E-POINT CMS upload or extraction directories.
  • ZIP files in upload staging areas that contain additional nested archives carrying executable extensions.
  • Outbound network connections initiated by the web server process to unfamiliar hosts shortly after a file upload event.
  • Web server access logs showing requests to newly created script files in upload paths.

Detection Strategies

  • Monitor file creation events in web-accessible directories owned by the E-POINT CMS service account and alert on script extensions.
  • Inspect uploaded archives recursively and flag ZIP-in-ZIP structures that contain executable file types.
  • Correlate authenticated upload activity with subsequent first-seen URL requests to the same path.

Monitoring Recommendations

  • Enable detailed web server access and audit logging for the upload endpoint and extraction directories.
  • Forward CMS and web server logs to a centralized analytics platform for behavioral baselining of upload activity.
  • Track process lineage from the web server to detect shell or interpreter spawns following upload requests.

How to Mitigate CVE-2025-65806

Immediate Actions Required

  • Restrict access to the E-POINT CMS upload feature to trusted administrators and enforce multi-factor authentication on those accounts.
  • Disable recursive extraction of nested archives or block ZIP uploads until a vendor patch is applied.
  • Audit upload and extraction directories for unauthorized script files and remove any unrecognized artifacts.
  • Configure the web server to treat upload directories as non-executable, preventing interpretation of scripts written there.

Patch Information

No vendor advisory or patch URL is listed in the NVD record at publication. Operators should contact E-POINT for a fixed build of E-POINT CMS beyond eagle.gsam-1169.1 and consult the GitHub disclosure for CVE-2025-65806 for additional context.

Workarounds

  • Validate archive contents recursively before extraction and reject archives containing executable file types.
  • Extract uploads to a directory outside the web root and serve files only through a controlled handler.
  • Apply an allowlist of permitted file extensions and verify MIME types after extraction.
  • Drop privileges of the web server process so that any extracted shell runs with minimal rights.
bash
# Example Apache configuration to disable script execution in upload directories
<Directory "/var/www/epoint/uploads">
    Options -ExecCGI
    RemoveHandler .php .phtml .phar
    php_flag engine off
    AllowOverride None
    Require all denied
</Directory>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.