CVE-2025-63695 – DzzOffice v2.3.7 and earlier contains an arbitr... (How to Fix)

Q: What is the severity of CVE-2025-63695?

CVE-2025-63695 has a CVSS score of 9.8 (CRITICAL). DzzOffice v2.3.7 and earlier contains an arbitrary file upload vulnerability in the UEditor component that allows attackers to upload malicious files to the server. This affects all installations using vulnerable versions of DzzOffice, a collaborative office platform. Successful exploitation can lead to complete system compromise.

📋 TL;DR

DzzOffice v2.3.7 and earlier contains an arbitrary file upload vulnerability in the UEditor component that allows attackers to upload malicious files to the server. This affects all installations using vulnerable versions of DzzOffice, a collaborative office platform. Successful exploitation can lead to complete system compromise.

💻 Affected Systems

Products:

DzzOffice

Versions: v2.3.7 and all earlier versions

Operating Systems: All platforms running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the UEditor component at /dzz/system/ueditor/php/controller.php

📦 What is this software?

Dzzoffice by Dzzoffice

View all CVEs affecting Dzzoffice →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full server takeover, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Webshell deployment allowing persistent backdoor access, file manipulation, and potential privilege escalation.

🟢

If Mitigated

Limited file system access if proper file upload restrictions and web server permissions are configured.

🌐 Internet-Facing: HIGH - Directly exploitable via web interface without authentication.

🏢 Internal Only: HIGH - Equally exploitable from internal networks if accessible.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public proof-of-concept exploits available on GitHub. Exploitation requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Upgrade to a version beyond v2.3.7 if released by vendor, or apply workarounds.

🔧 Temporary Workarounds

Disable vulnerable endpoint

linux

Block or remove access to the vulnerable UEditor controller file

mv /path/to/dzz/system/ueditor/php/controller.php /path/to/dzz/system/ueditor/php/controller.php.bak
chmod 000 /path/to/dzz/system/ueditor/php/controller.php

Implement file upload restrictions

all

Add server-side validation to restrict file types and extensions

Edit controller.php to add: $allowed_ext = ['jpg','png','gif']; if(!in_array($ext, $allowed_ext)) { die('Invalid file type'); }

🧯 If You Can't Patch

Implement WAF rules to block requests to /dzz/system/ueditor/php/controller.php with file upload parameters
Restrict network access to DzzOffice instance using firewall rules

🔍 How to Verify

Check if Vulnerable:

Check if file exists: /dzz/system/ueditor/php/controller.php and test file upload functionality

Check Version:

Check DzzOffice version in configuration files or admin panel

Verify Fix Applied:

Attempt to upload a PHP file via the UEditor endpoint - should be rejected

📡 Detection & Monitoring

Log Indicators:

POST requests to /dzz/system/ueditor/php/controller.php with file upload parameters
Upload of files with .php, .phtml, or other executable extensions

Network Indicators:

Unusual outbound connections from web server after file upload
HTTP requests with file upload patterns to the vulnerable endpoint

SIEM Query:

source="web_access.log" AND uri="/dzz/system/ueditor/php/controller.php" AND method="POST" AND (file_ext=".php" OR file_ext=".phtml")

📊 Metadata

CVE ID: CVE-2025-63695

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

EPSS Score: 0.08% exploit probability (22.7th percentile)

Published: November 18, 2025

Last Updated: November 20, 2025

🔗 References

https://github.com/Yohane-Mashiro/dzzoffice_upload Exploit,Third Party Advisory
https://github.com/zyx0814/dzzoffice/issues/365 Issue Tracking
https://github.com/Yohane-Mashiro/dzzoffice_upload Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63695, you might also want to check these: