CVE-2025-7917

WinMatrix3 Web package developed by Simopro Technology has an Arbitrary File Upload vulnerability, allowing remote attackers with administrator privileges to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.twcert.org.tw/en/cp-139-10263-5f2e7-2.html
https://www.twcert.org.tw/tw/cp-132-10258-16bbf-1.html

Configurations

No configuration.

History

22 Jul 2025, 13:06

Type	Values Removed	Values Added
Summary		(es) El paquete web WinMatrix3 desarrollado por Simopro Technology tiene una vulnerabilidad de carga de archivos arbitraria, que permite a atacantes remotos con privilegios de administrador cargar y ejecutar puertas traseras de shell web, lo que permite la ejecución de código arbitrario en el servidor.

21 Jul 2025, 07:15

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.2

21 Jul 2025, 06:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-21 06:15

Updated : 2025-07-22 13:06

NVD link : CVE-2025-7917

Mitre link : CVE-2025-7917

CVE.ORG link : CVE-2025-7917

JSON object : View

Products Affected

No product.

CWE

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2025-7917", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "twcert@cert.org.tw", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}], "cvssMetricV40": [{"type": "Secondary", "source": "twcert@cert.org.tw", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-07-21T06:15:28.997", "references": [{"url": "https://www.twcert.org.tw/en/cp-139-10263-5f2e7-2.html", "source": "twcert@cert.org.tw"}, {"url": "https://www.twcert.org.tw/tw/cp-132-10258-16bbf-1.html", "source": "twcert@cert.org.tw"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "twcert@cert.org.tw", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "WinMatrix3 Web package developed by Simopro Technology has an Arbitrary File Upload vulnerability, allowing remote attackers with administrator privileges to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server."}, {"lang": "es", "value": "El paquete web WinMatrix3 desarrollado por Simopro Technology tiene una vulnerabilidad de carga de archivos arbitraria, que permite a atacantes remotos con privilegios de administrador cargar y ejecutar puertas traseras de shell web, lo que permite la ejecuci\u00f3n de c\u00f3digo arbitrario en el servidor."}], "lastModified": "2025-07-22T13:06:07.260", "sourceIdentifier": "twcert@cert.org.tw"}