CVE-2025-8120
📋 TL;DR
CVE-2025-8120 is an unauthenticated remote code execution vulnerability in PAD CMS's photo upload functionality. An attacker can upload arbitrary files without restrictions and execute them, leading to complete system compromise. All PAD CMS installations using www, bip, or ww+bip templates are affected.
💻 Affected Systems
- PAD CMS
📦 What is this software?
Pad Cms by Widzialni
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining complete control over the server, data exfiltration, ransomware deployment, and lateral movement to other systems.
Likely Case
Webshell deployment leading to persistent backdoor access, data theft, and use as a pivot point for further attacks.
If Mitigated
Limited impact if upload directory is outside web root with proper file permissions, though risk remains if attacker can find execution path.
🎯 Exploit Status
Unauthenticated exploitation with simple file upload bypass. Weaponization is likely due to high CVSS score and RCE impact.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: None
Vendor Advisory: None
Restart Required: No
Instructions:
No official patch available. Product is End-Of-Life. Immediate migration to alternative CMS is required.
🔧 Temporary Workarounds
Disable photo upload functionality
allRemove or disable the vulnerable upload feature entirely
# Remove or comment out upload functionality in PAD CMS code
# Disable relevant PHP scripts or routes
Web server file type restrictions
allConfigure web server to block execution of uploaded files
# Apache: Add to .htaccess in upload directory:
<FilesMatch "\.(php|phtml|php3|php4|php5|php7|phps|php8|inc|pl|py|jsp|asp|aspx|cgi|sh|bash)">
Deny from all
</FilesMatch>
# Nginx: Add to server block:
location ~* \.(php|phtml|php3|php4|php5|php7|phps|php8|inc|pl|py|jsp|asp|aspx|cgi|sh|bash)$ {
deny all;
}
🧯 If You Can't Patch
- Immediately migrate to a supported CMS platform
- Isolate PAD CMS instance behind strict network segmentation and WAF
🔍 How to Verify
Check if Vulnerable:
Test if unauthenticated file upload accepts PHP or other executable files. Check if uploaded files are accessible via web URL.Check Version:
# Check PAD CMS installation - product is EOL so all versions vulnerableVerify Fix Applied:
Verify upload functionality is disabled or file execution is blocked. Test with malicious file upload attempts.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to photo upload endpoints
- POST requests with executable file extensions
- Access to uploaded files with .php, .jsp, .asp extensions
Network Indicators:
- HTTP POST to upload endpoints from unauthenticated sources
- Subsequent requests to uploaded executable files
SIEM Query:
source="web_logs" AND (uri="*upload*" OR uri="*photo*upload*") AND (method="POST") AND (user_agent NOT CONTAINS "bot" OR user_agent="*")