CVE-2025-28168 – CVE-2025-28168 is an unrestricted file upload v... (How to Fix)

📋 TL;DR

CVE-2025-28168 is an unrestricted file upload vulnerability in the Multiple File Upload add-on for OutSystems. Attackers can bypass client-side file validation by intercepting and modifying upload requests, allowing them to upload malicious files. This affects OutSystems applications using the vulnerable third-party component version 3.1.0.

💻 Affected Systems

Products:

Multiple File Upload add-on for OutSystems

Versions: 3.1.0

Operating Systems: All platforms running OutSystems

Default Config Vulnerable: ⚠️ Yes

Notes: This is a third-party component not supplied or supported by OutSystems

📦 What is this software?

Multiple File Upload by Multiple File Upload Project

View all CVEs affecting Multiple File Upload →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, or ransomware deployment

🟠

Likely Case

Malware upload leading to backdoor installation, data theft, or denial of service

🟢

If Mitigated

Limited impact with proper server-side validation and file execution restrictions

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction to upload files but bypass is simple via request manipulation

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.outsystems.com/forge/component-overview/200/multiple-file-upload-o11

Restart Required: No

Instructions:

1. Check component developer for updated version
2. Remove or replace vulnerable component
3. Implement server-side file validation

🔧 Temporary Workarounds

Implement server-side file validation

all

Add server-side checks for file extensions, MIME types, and file size

Restrict file execution in upload directories

all

Configure web server to prevent execution of uploaded files

nginx: location ~* \.(php|asp|aspx|jsp)$ { deny all; }
Apache: <FilesMatch "\.(php|asp|aspx|jsp)$">
  Order Deny,Allow
  Deny from all
</FilesMatch>

🧯 If You Can't Patch

Disable or remove the Multiple File Upload component entirely
Implement WAF rules to block suspicious file upload patterns

🔍 How to Verify

Check if Vulnerable:

Check if Multiple File Upload component version 3.1.0 is installed in OutSystems environment

Check Version:

Check component version in OutSystems Service Center or application manifest

Verify Fix Applied:

Test file upload with malicious extensions to confirm server-side validation blocks them

📡 Detection & Monitoring

Log Indicators:

Unusual file extensions in upload logs
Large file uploads bypassing size limits
Multiple failed upload attempts with suspicious extensions

Network Indicators:

HTTP POST requests with modified file parameters
Uploads of executable file types to upload endpoints

SIEM Query:

source="web_logs" AND (method="POST" AND uri="*upload*" AND (file_extension="php" OR file_extension="asp" OR file_extension="jsp" OR file_extension="exe"))

📊 Metadata

CVE ID: CVE-2025-28168

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-602

EPSS Score: 0.08% exploit probability (22.8th percentile)

Published: May 5, 2025

Last Updated: September 30, 2025

🔗 References

https://gist.github.com/IamLeandrooooo/01090be3023f5e7c7397bb9b1f5505b9 Third Party Advisory
https://www.outsystems.com/forge/component-overview/200/multiple-file-upload-o11 Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-28168, you might also want to check these: