Full Report
CERT Polska has coordinated disclousure of 9 vulnerabilities (CVE-2025-7063, CVE-2025-7065 and from CVE-2025-8116 to CVE-2025-8122) found in PAD CMS software.
Analysis Summary
This summary consolidates the 9 reported vulnerabilities affecting PAD CMS software, as disclosed by CERT Polska. **Note that the vendor has indicated this product is End-Of-Life and will not release patches.**
---
# Vulnerability Summary: Multiple Flaws in PAD CMS Software (CVE-2025-7063 to CVE-2025-8122)
## CVE Details
The following 9 CVEs were disclosed, affecting PAD CMS:
| CVE ID | Vulnerability Type (Description Snippet) | CWE | CVSS Score | Severity |
| :--- | :--- | :--- | :--- | :--- |
| CVE-2025-7063 | Unrestricted Upload of File with Dangerous Type | CWE-434 | N/A | N/A |
| CVE-2025-7065 | Unrestricted Upload of File with Dangerous Type | CWE-434 | N/A | N/A |
| CVE-2025-8116 | XSS / Cross-site Scripting | CWE-79 | N/A | N/A |
| CVE-2025-8117 | Missing Initialization of Resource (Password Reset Bypass) | CWE-909 | N/A | N/A |
| CVE-2025-8118 | Client-Side Enforcement Bypass (Brute-Force Protection) | CWE-602 | N/A | N/A |
| CVE-2025-8119 | Cross-Site Request Forgery (CSRF) in Password Reset | CWE-352 | N/A | N/A |
| CVE-2025-8120 | Unrestricted Upload of File with Dangerous Type (RCE Potential) | CWE-434 | N/A | N/A |
| CVE-2025-8121 | Blind SQL Injection (Article Positioning) | CWE-89 | N/A | N/A |
| CVE-2025-8122 | Blind SQL Injection (Article Positioning) | CWE-89 | N/A | N/A |
*Note: Specific CVSS scores and detailed severity levels were not provided in the source material for all entries.*
## Affected Systems
- **Products:** PAD CMS software
- **Versions:** All versions through 1.2.1
- **Configurations:** Vulnerabilities affect all 3 templates: `www`, `bip`, and `www+bip`.
## Vulnerability Description
This advisory covers a range of critical vulnerabilities:
1. **Unrestricted File Upload (CVE-2025-7063, -7065, -8120):** Flaws allowing unauthenticated remote attackers to upload arbitrary file types and extensions due to client-controlled permission checks. CVE-2025-8120 may lead to Remote Code Execution (RCE) if uploaded files are executed.
2. **Stored/Reflected Cross-Site Scripting (CVE-2025-8116):** Allows for arbitrary JavaScript execution when a crafted URL is opened by a victim.
3. **Authentication Bypass (CVE-2025-8117, -8118, -8119):** Flaws enable password changes for any user via improper password recovery initialization (CVE-2025-8117), client-side brute-force protection bypass via cookie manipulation (CVE-2025-8118), and CSRF on the password reset functionality (CVE-2025-8119).
4. **SQL Injection (CVE-2025-8121, -8122):** Blind SQL Injection vulnerabilities stemming from improper neutralization of user-supplied input in the article positioning functionality.
## Exploitation
- **Status:** Details on widespread exploitation are not specified, but PoCs are implied for many findings ("Own research").
- **Complexity:** Varies by vulnerability (e.g., CSRF/XSS often low, RCE exploitation is typically medium/high complexity).
- **Attack Vector:** Network, Adjacent, Local (depending on specific vulnerability, SQLi/RCE often remote network access).
## Impact
Due to the variety of flaws, potential impacts are severe:
- **Confidentiality:** High (SQL Injection can lead to data exfiltration).
- **Integrity:** High (RCE, SQL Injection, and unauthorized password changes).
- **Availability:** Medium (Potential impact from denial of service via exploited file upload or database compromise).
## Remediation
### Patches
- **Status:** **No official patches will be released.** The vendor has declared PAD CMS End-Of-Life (EOL).
### Workarounds
Since no patches are expected, mitigation requires immediate action:
1. **Upgrade or Migrate:** Fully migrate away from PAD CMS to a supported, patched Content Management System.
2. **Restrict Access:** If immediate migration is impossible, restrict network access to the administrative interface of the PAD CMS installation to the absolute minimum number of trusted IPs/networks (e.g., via a WAF or firewall rules).
3. **Input Validation:** Implement stricter server-side input validation and output encoding at the application layer if possible, specifically targeting inputs used in article positioning and file uploads.
## Detection
- **Indicators of Compromise (IoC):**
* Unexpected file uploads in web-accessible directories.
* Unusual database activity or high volume of sensitive queries (indicative of SQLi).
* Log entries showing multiple failed login attempts bypassed via cookie manipulation.
* Web application logs showing requests containing XSS payloads or CSRF tokens being successfully submitted without user interaction outside expected flows.
- **Detection Methods and Tools:**
* WAF rules tuned to block known injection patterns and unauthorized file extensions in upload requests.
* Regular application monitoring scanning for abnormal file write operations.
## References
- CERT Polska Advisory (General Source): [https://cert.pl/en/news/](https://cert.pl/en/news/) (Search for vulnerabilities published September 30, 2025)
- CVE Records (Defanged for safety):
* [www-dot-cve-dot-org/CVERecord?id=CVE-2025-7063](https://www.cve.org/CVERecord?id=CVE-2025-7063)
* [www-dot-cve-dot-org/CVERecord?id=CVE-2025-7065](https://www.cve.org/CVERecord?id=CVE-2025-7065)
* [www-dot-cve-dot-org/CVERecord?id=CVE-2025-8116](https://www.cve.org/CVERecord?id=CVE-2025-8116)
* [www-dot-cve-dot-org/CVERecord?id=CVE-2025-8117](https://www.cve.org/CVERecord?id=CVE-2025-8117)
* [www-dot-cve-dot-org/CVERecord?id=CVE-2025-8118](https://www.cve.org/CVERecord?id=CVE-2025-8118)
* [www-dot-cve-dot-org/CVERecord?id=CVE-2025-8119](https://www.cve.org/CVERecord?id=CVE-2025-8119)
* [www-dot-cve-dot-org/CVERecord?id=CVE-2025-8120](https://www.cve.org/CVERecord?id=CVE-2025-8120)
* [www-dot-cve-dot-org/CVERecord?id=CVE-2025-8121](https://www.cve.org/CVERecord?id=CVE-2025-8121)
* [www-dot-cve-dot-org/CVERecord?id=CVE-2025-8122](https://www.cve.org/CVERecord?id=CVE-2025-8122)