Remote File Upload Vulnerability in Digiwin ERP by Digiwin
CVE-2025-2705

7.3HIGH

Key Information:

Vendor: Digiwin
Status: Digiwin ERP
Vendor: CVE Published:; 24 March 2025

What is CVE-2025-2705?

A vulnerability exists in the Digiwin ERP application that permits an attacker to exploit the file upload functionality in the DoUpload/DoWebUpload features of the /Api/FileUploadApi.ashx file. This flaw allows an unauthenticated user to bypass security controls and execute arbitrary code by uploading malicious files. This vulnerability can be exploited remotely, posing a significant risk to systems using Digiwin ERP 5.1, especially since it was disclosed to the public without a response from the vendor.

References

https://github.com/Rain1er/report/blob/main/THNlcnBf/RCE_...

https://vuldb.com/?ctiid.300726

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 24, 2025

JSON