CVE-2025-8120 Overview
CVE-2025-8120 is a critical unrestricted file upload vulnerability affecting PAD CMS, a content management system developed by Widzialni. The vulnerability exists in the upload photo functionality, where a client-controlled permission check parameter allows unauthenticated remote attackers to bypass security controls and upload files of any type and extension without restriction. These uploaded files can subsequently be executed on the server, leading to Remote Code Execution (RCE).
This vulnerability affects all three PAD CMS templates: www, bip, and ww+bip. Critically, this product has reached End-Of-Life status, and the vendor has confirmed they will not publish patches for this vulnerability.
Critical Impact
Unauthenticated attackers can achieve complete server compromise through unrestricted file upload leading to Remote Code Execution. No patches will be released as the product is End-Of-Life.
Affected Products
- Widzialni PAD CMS (all versions)
- PAD CMS www template
- PAD CMS bip template
- PAD CMS ww+bip template
Discovery Timeline
- 2025-09-30 - CVE-2025-8120 published to NVD
- 2025-11-26 - Last updated in NVD database
Technical Details for CVE-2025-8120
Vulnerability Analysis
This vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). The core issue stems from a fundamental flaw in the permission validation mechanism within PAD CMS's photo upload functionality. The application relies on a client-controlled parameter to determine whether a user has permission to upload files, rather than implementing proper server-side authentication and authorization checks.
By manipulating this client-side permission parameter, an attacker can completely bypass the intended access controls. Once bypassed, the upload functionality fails to validate the file type, extension, or content of uploaded files. This allows attackers to upload arbitrary files, including server-side scripts such as PHP web shells, which can then be accessed directly through the web server to achieve code execution.
The attack is particularly severe because it requires no authentication whatsoever. Any remote attacker with network access to the vulnerable application can exploit this flaw to gain complete control over the underlying server.
Root Cause
The root cause of CVE-2025-8120 lies in improper trust of client-supplied data for security-critical decisions. The application's upload functionality implements permission checks based on a parameter that can be controlled by the attacker in the HTTP request. This represents a violation of the fundamental security principle that client input should never be trusted for authorization decisions.
Additionally, the application lacks proper file validation on the server side. Even if the permission check were implemented correctly, the absence of file type validation, extension whitelisting, and content inspection creates a secondary failure that enables the upload of executable files.
Attack Vector
The attack is network-based and can be executed by unauthenticated remote attackers. The exploitation flow involves:
- An attacker crafts an HTTP request to the photo upload endpoint
- The attacker manipulates the client-controlled permission check parameter to bypass authentication
- The attacker uploads a malicious file (e.g., a PHP web shell) with an executable extension
- The attacker accesses the uploaded file through its web-accessible path
- The server executes the malicious code, granting the attacker command execution capabilities
The vulnerability requires no user interaction and can be exploited with low complexity, making it trivially exploitable by attackers with basic web application knowledge.
Detection Methods for CVE-2025-8120
Indicators of Compromise
- Unexpected files with executable extensions (.php, .asp, .aspx, .jsp) appearing in upload directories
- Web server access logs showing requests to unusual files in photo/media upload paths
- Anomalous outbound network connections from the web server process
- Unexpected process spawning from web server parent processes
Detection Strategies
- Monitor file system changes in web-accessible upload directories for new executable files
- Implement web application firewall (WAF) rules to detect file upload attempts with dangerous extensions
- Review HTTP request logs for manipulation of authentication or permission parameters in upload requests
- Deploy endpoint detection solutions to identify post-exploitation behaviors such as web shell activity
Monitoring Recommendations
- Enable detailed logging on the PAD CMS application and web server
- Configure alerts for file creation events in upload directories with executable file types
- Monitor for command execution patterns typical of web shell activity
- Review server resource utilization for anomalies indicating cryptomining or other malicious payloads
How to Mitigate CVE-2025-8120
Immediate Actions Required
- Immediately migrate away from PAD CMS as the product is End-Of-Life with no security patches available
- If immediate migration is not possible, take the PAD CMS application offline
- Restrict network access to the application using firewall rules while planning migration
- Audit upload directories for any evidence of prior compromise
Patch Information
No patches are available for this vulnerability. The vendor Widzialni has confirmed that PAD CMS has reached End-Of-Life status and no security updates will be released. Organizations using PAD CMS must migrate to a supported content management system immediately.
For additional technical details, refer to the CERT Poland Blog Post.
Workarounds
- Disable the file upload functionality entirely by removing or restricting access to the upload endpoints
- Implement a web application firewall to block requests containing executable file extensions to upload endpoints
- Configure the web server to prevent execution of files in upload directories by removing execute permissions
- Place the application behind VPN or IP whitelist restrictions to limit exposure while planning migration
# Configuration example - Apache .htaccess to prevent execution in upload directory
# Place this file in the PAD CMS upload directory
<Directory /path/to/padcms/uploads>
# Disable PHP execution
php_flag engine off
# Deny access to executable extensions
<FilesMatch "\.(php|phtml|php3|php4|php5|asp|aspx|jsp|cgi|pl)$">
Require all denied
</FilesMatch>
# Remove handler for PHP files
RemoveHandler .php .phtml .php3 .php4 .php5
RemoveType .php .phtml .php3 .php4 .php5
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
