CVE-2025-12867
📋 TL;DR
CVE-2025-12867 is an arbitrary file upload vulnerability in EIP Plus software developed by Hundred Plus. It allows authenticated remote attackers with elevated privileges to upload malicious files (like web shells) and execute arbitrary code on affected servers. Organizations using vulnerable versions of EIP Plus are at risk.
💻 Affected Systems
- EIP Plus
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise leading to data theft, ransomware deployment, lateral movement within the network, and persistent backdoor access.
Likely Case
Attackers upload web shells to gain remote code execution, steal sensitive data, and maintain persistent access to the server.
If Mitigated
With proper file upload validation and server hardening, exploitation attempts would be blocked or detected early.
🎯 Exploit Status
Exploitation requires privileged credentials but is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in references; check vendor advisory for latest patched version
Vendor Advisory: https://www.twcert.org.tw/en/cp-139-10491-004b0-2.html
Restart Required: Yes
Instructions:
1. Check vendor advisory for patched version. 2. Backup system and data. 3. Apply patch from vendor. 4. Restart affected services. 5. Verify fix.
🔧 Temporary Workarounds
Restrict File Upload Types
allConfigure web server to only allow specific safe file extensions (e.g., .pdf, .docx) and block executable extensions.
# Example for Apache: Add to .htaccess
<FilesMatch "\.(php|asp|jsp|sh|pl)">
Order Allow,Deny
Deny from all
</FilesMatch>
Implement File Upload Validation
allAdd server-side validation to check file type, size, and content before allowing uploads.
# Example pseudo-code for validation
if file_extension not in allowed_extensions:
reject_upload()
🧯 If You Can't Patch
- Isolate affected system from internet and restrict network access to necessary services only.
- Implement strict access controls and monitor for unusual file upload activities.
🔍 How to Verify
Check if Vulnerable:
Review system logs for unauthorized file uploads or test with controlled upload of non-executable file to check validation.Check Version:
Check EIP Plus version via admin interface or consult vendor documentation.Verify Fix Applied:
Attempt to upload a file with executable extension; it should be blocked or fail validation.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to upload directories
- Requests for uploaded files with executable extensions
- Privileged user activity anomalies
Network Indicators:
- Unexpected outbound connections from server post-upload
- Traffic to known web shell patterns
SIEM Query:
source="web_server" AND (url="*upload*" AND (file_extension="php" OR file_extension="jsp" OR file_extension="asp"))