CVE-2025-34336
📋 TL;DR
This vulnerability allows unauthenticated attackers to upload arbitrary files to eGovFramework servers via image upload endpoints. Attackers can use affected applications as persistent file hosting services under the application's origin. All systems running vulnerable versions of eGovFramework's common components are affected.
💻 Affected Systems
- eGovFramework/egovframe-common-components
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers host malicious content (malware, phishing pages, exploit kits) on legitimate government/enterprise domains, bypassing security controls and gaining persistence.
Likely Case
Attackers abuse the application as a file hosting service for malicious payloads, phishing content, or data exfiltration points.
If Mitigated
Limited to hosting non-executable content under application origin, still enabling abuse of legitimate domains.
🎯 Exploit Status
Simple HTTP POST requests to vulnerable endpoints with multipart file uploads. Public technical details available in referenced advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://www.egovframe.go.kr/eng/sub.do?menuNo=2
Restart Required: Yes
Instructions:
1. Monitor eGovFramework vendor for security updates. 2. Apply patches when available. 3. Restart application servers after patching.
🔧 Temporary Workarounds
Disable vulnerable endpoints
allRemove or block access to /utl/wed/insertImage.do and /utl/wed/insertImageCk.do endpoints
# Web server configuration to block endpoints
# Application firewall rules to reject requests to these paths
Implement authentication
allAdd authentication requirements to image upload endpoints
# Configure Spring Security or similar to require authentication for upload endpoints
🧯 If You Can't Patch
- Implement WAF rules to block unauthenticated file uploads to vulnerable endpoints
- Deploy network segmentation to isolate vulnerable systems from critical assets
🔍 How to Verify
Check if Vulnerable:
Test if unauthenticated POST requests to /utl/wed/insertImage.do or /utl/wed/insertImageCk.do with multipart file uploads succeed.Check Version:
Check pom.xml or application metadata for egovframe-common-components versionVerify Fix Applied:
Verify that unauthenticated file uploads to vulnerable endpoints are rejected or require authentication.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated POST requests to /utl/wed/insertImage*.do with file uploads
- Unusual file upload patterns to image endpoints
Network Indicators:
- HTTP POST requests to vulnerable endpoints from unauthenticated sources
- File uploads with non-image content types
SIEM Query:
source="web_server" AND (url="/utl/wed/insertImage.do" OR url="/utl/wed/insertImageCk.do") AND method="POST" AND user="-"🔗 References
- https://github.com/eGovFramework/egovframe-common-components
- https://pierrekim.github.io/advisories/2025-egovframe.txt
- https://pierrekim.github.io/blog/2025-11-20-egovframe-2-vulnerabilities.html
- https://www.egovframe.go.kr/eng/sub.do?menuNo=2
- https://www.vulncheck.com/advisories/egovframework-unauthenticated-file-upload-via-web-editor-image-upload-endpoints
