CVE-2025-1165
📋 TL;DR
This critical vulnerability in Lumsoft ERP 8 allows remote attackers to upload arbitrary files without restrictions via the DoUpload/DoWebUpload function in the FileUploadApi.ashx endpoint. Attackers can exploit this to upload malicious files, potentially leading to remote code execution or system compromise. All systems running vulnerable versions of Lumsoft ERP 8 are affected.
💻 Affected Systems
- Lumsoft ERP
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, ransomware deployment, or creation of persistent backdoors.
Likely Case
Attackers upload web shells or malicious scripts to gain unauthorized access, execute commands, or deploy malware on the server.
If Mitigated
With proper file validation and access controls, impact is limited to potential denial of service or unauthorized file storage.
🎯 Exploit Status
The exploit has been publicly disclosed on GitHub, making it easily accessible to attackers. Authentication requirements are unclear from available information.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown - Check with Lumsoft vendor for specific patched version
Vendor Advisory: Not provided in references
Restart Required: No
Instructions:
1. Contact Lumsoft vendor for security patches. 2. Apply the latest security update for Lumsoft ERP 8. 3. Verify the patch addresses the FileUploadApi.ashx vulnerability.
🔧 Temporary Workarounds
Block File Upload Endpoint
allTemporarily block access to the vulnerable /Api/FileUploadApi.ashx endpoint using web application firewall or network controls.
# Example WAF rule to block /Api/FileUploadApi.ashx
# Example nginx: location ~ ^/Api/FileUploadApi\.ashx$ { deny all; }
Implement File Upload Restrictions
Windows/IISConfigure the application to restrict file uploads to specific file types, sizes, and implement proper validation.
# Configure in web.config or application settings
# Example: <add fileExtension=".exe" allowed="false" />
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Lumsoft ERP systems from critical infrastructure.
- Deploy web application firewall with rules to detect and block malicious file upload patterns.
🔍 How to Verify
Check if Vulnerable:
Test if you can upload arbitrary files (like .aspx, .php, .exe) to /Api/FileUploadApi.ashx endpoint without proper validation.Check Version:
Check Lumsoft ERP administration panel or application metadata for version information.Verify Fix Applied:
Attempt to upload malicious file types; successful fix should reject unauthorized file types with proper error messages.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to /Api/FileUploadApi.ashx
- Uploads of executable files (.exe, .aspx, .php)
- Large number of upload requests from single IP
Network Indicators:
- POST requests to /Api/FileUploadApi.ashx with suspicious file extensions
- Unusual outbound connections from Lumsoft server after uploads
SIEM Query:
source="web_server" AND uri="/Api/FileUploadApi.ashx" AND (file_extension="aspx" OR file_extension="php" OR file_extension="exe")