Login Sign Up

CVE-2025-14522

6.3 MEDIUM

📋 TL;DR

This CVE describes an unrestricted file upload vulnerability in baowzh hfly's upload_json.php component. Attackers can remotely upload malicious files by manipulating the imgFile parameter, potentially leading to arbitrary code execution or website defacement. All systems running baowzh hfly up to commit 638ff9abe9078bc977c132b37acbe1900b63491c are affected.

💻 Affected Systems

Products:
  • baowzh hfly
Versions: Up to commit 638ff9abe9078bc977c132b37acbe1900b63491c
Operating Systems: Any OS running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the Kindeditor component's upload_json.php file. No version details available due to rolling release model.

📦 What is this software?

Hfly by Baowzh

View all CVEs affecting Hfly →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Website defacement, malware hosting, or limited file system access through uploaded web shells.

🟢

If Mitigated

Uploaded files remain isolated without execution privileges, causing minimal impact.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit documentation exists. Attack requires only HTTP POST requests with manipulated imgFile parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Vendor did not respond to disclosure. Consider removing or replacing the vulnerable component.

🔧 Temporary Workarounds

Disable vulnerable endpoint

linux

Block or remove access to /Public/Kindeditor/php/upload_json.php

mv /path/to/Public/Kindeditor/php/upload_json.php /path/to/Public/Kindeditor/php/upload_json.php.disabled
chmod 000 /path/to/Public/Kindeditor/php/upload_json.php.disabled

Implement file upload restrictions

all

Add server-side validation for file types, extensions, and content

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block malicious upload patterns
  • Restrict network access to affected systems and monitor for suspicious file uploads

🔍 How to Verify

Check if Vulnerable:

Check if /Public/Kindeditor/php/upload_json.php exists and accepts file uploads without proper validation

Check Version:

git log --oneline | head -1

Verify Fix Applied:

Test that file uploads to the vulnerable endpoint are properly restricted or blocked

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads to upload_json.php
  • POST requests with suspicious file extensions
  • Large number of upload attempts

Network Indicators:

  • HTTP POST requests to /Public/Kindeditor/php/upload_json.php with executable files

SIEM Query:

source="web_logs" AND uri="/Public/Kindeditor/php/upload_json.php" AND method="POST" AND (file_extension="php" OR file_extension="jsp" OR file_extension="asp")

📊 Metadata

CVE ID: CVE-2025-14522
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-284
EPSS Score: 0.05% exploit probability (13.6th percentile)
Published: December 11, 2025
Last Updated: January 9, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14522, you might also want to check these:

CVE-2021-34795 10.0

This critical vulnerability in Cisco Catalyst PON Series Switches ONT web management interface allow...

Same vulnerability type (CWE-284)
CVE-2021-40113 10.0

Multiple vulnerabilities in Cisco Catalyst PON Series Switches ONT web management interface allow un...

Same vulnerability type (CWE-284)
CVE-2026-21636 10.0

A critical vulnerability in Node.js v25's experimental permission model allows attacker-controlled i...

Same vulnerability type (CWE-284)