Login Sign Up

CVE-2025-8526

6.3 MEDIUM
Remote Code Execution

📋 TL;DR

This critical vulnerability in Exrick xboot allows remote attackers to upload arbitrary files without restrictions via the UploadController.java component. This affects all systems running xboot versions up to 3.3.4, potentially leading to complete system compromise.

💻 Affected Systems

Products:
  • Exrick xboot
Versions: All versions up to and including 3.3.4
Operating Systems: All platforms running Java
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments using the vulnerable upload functionality are affected regardless of configuration.

📦 What is this software?

Xboot by Exrick

View all CVEs affecting Xboot →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system takeover, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Webshell deployment allowing persistent backdoor access, file system manipulation, and potential privilege escalation.

🟢

If Mitigated

Limited impact with proper file upload validation and restricted execution environments.

🌐 Internet-Facing: HIGH - Remote exploitation without authentication makes internet-facing instances extremely vulnerable.
🏢 Internal Only: MEDIUM - Internal systems still vulnerable but require network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly disclosed on GitHub and vuldb, making exploitation straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 3.3.5 or later

Vendor Advisory: https://github.com/Exrick/xboot/issues/71

Restart Required: Yes

Instructions:

1. Upgrade to xboot version 3.3.5 or later. 2. Replace the vulnerable UploadController.java file. 3. Restart the application server.

🔧 Temporary Workarounds

Disable file upload endpoint

all

Temporarily disable or block access to the vulnerable upload endpoint

Configure web server to block /upload endpoints
Modify application to disable upload functionality

Implement file validation

all

Add server-side file type validation and size restrictions

Implement whitelist of allowed file extensions
Set maximum file size limits
Scan uploaded files for malicious content

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate vulnerable systems
  • Deploy web application firewall with file upload protection rules

🔍 How to Verify

Check if Vulnerable:

Check if running xboot version 3.3.4 or earlier and if upload functionality is enabled

Check Version:

Check application version in pom.xml or application properties

Verify Fix Applied:

Verify version is 3.3.5 or later and test file upload with malicious extensions

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads with executable extensions
  • Multiple failed upload attempts
  • Uploads to non-standard directories

Network Indicators:

  • POST requests to upload endpoints with suspicious file types
  • Unusual outbound connections after file uploads

SIEM Query:

source="web_logs" AND (uri="/upload" OR uri="*upload*") AND (file_extension="jsp" OR file_extension="php" OR file_extension="exe")

📊 Metadata

CVE ID: CVE-2025-8526
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-284
EPSS Score: 0.05% exploit probability (14.5th percentile)
Published: August 4, 2025
Last Updated: August 28, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-8526, you might also want to check these:

CVE-2021-34795 10.0

This critical vulnerability in Cisco Catalyst PON Series Switches ONT web management interface allow...

Same vulnerability type (CWE-284)
CVE-2021-40113 10.0

Multiple vulnerabilities in Cisco Catalyst PON Series Switches ONT web management interface allow un...

Same vulnerability type (CWE-284)
CVE-2026-21636 10.0

A critical vulnerability in Node.js v25's experimental permission model allows attacker-controlled i...

Same vulnerability type (CWE-284)