CVE-2025-34163

Dongsheng Logistics Software exposes an unauthenticated endpoint at /CommMng/Print/UploadMailFile that fails to enforce proper file type validation and access control. An attacker can upload arbitrary files, including executable scripts such as .ashx, via a crafted multipart/form-data POST request. This allows remote code execution on the server, potentially leading to full system compromise. The vulnerability is presumed to affect builds released prior to July 2025 and is remediated in newer versions of the product, though the exact affected range remains undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-07-23 UTC.
CVSS

No CVSS.

Configurations

No configuration.

History

26 May 2026, 14:16

Type Values Removed Values Added
Summary (en) Dongsheng Logistics Software exposes an unauthenticated endpoint at /CommMng/Print/UploadMailFile that fails to enforce proper file type validation and access control. An attacker can upload arbitrary files, including executable scripts such as .ashx, via a crafted multipart/form-data POST request. This allows remote code execution on the server, potentially leading to full system compromise. The vulnerability is presumed to affect builds released prior to July 2025 and is said to be remediated in newer versions of the product, though the exact affected range remains undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-07-23 UTC. (en) Dongsheng Logistics Software exposes an unauthenticated endpoint at /CommMng/Print/UploadMailFile that fails to enforce proper file type validation and access control. An attacker can upload arbitrary files, including executable scripts such as .ashx, via a crafted multipart/form-data POST request. This allows remote code execution on the server, potentially leading to full system compromise. The vulnerability is presumed to affect builds released prior to July 2025 and is remediated in newer versions of the product, though the exact affected range remains undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-07-23 UTC.

15 Apr 2026, 00:35

Type Values Removed Values Added
Summary
  • (es) Dongsheng Logistics Software expone un endpoint no autenticado en /CommMng/Print/UploadMailFile que falla en aplicar una validación adecuada del tipo de archivo y control de acceso. Un atacante puede cargar archivos arbitrarios, incluyendo scripts ejecutables como .ashx, a través de una solicitud POST multipart/form-data manipulada. Esto permite la ejecución remota de código en el servidor, lo que podría llevar a un compromiso total del sistema. La vulnerabilidad se presume que afecta a las compilaciones lanzadas antes de julio de 2025 y se dice que está remediada en versiones más nuevas del producto, aunque el rango exacto afectado permanece indefinido. La evidencia de explotación fue observada por primera vez por la Shadowserver Foundation el 23-07-2025 UTC.

28 Aug 2025, 20:15

Type Values Removed Values Added
Summary (en) Dongsheng Logistics Software exposes an unauthenticated endpoint at /CommMng/Print/UploadMailFile that fails to enforce proper file type validation and access control. An attacker can upload arbitrary files, including executable scripts such as .ashx, via a crafted multipart/form-data POST request. This allows remote code execution on the server, potentially leading to full system compromise. The vulnerability is presumed to affect builds released prior to July 2025 and is said to be remediated in newer versions of the product, though the exact affected range remains undefined. (en) Dongsheng Logistics Software exposes an unauthenticated endpoint at /CommMng/Print/UploadMailFile that fails to enforce proper file type validation and access control. An attacker can upload arbitrary files, including executable scripts such as .ashx, via a crafted multipart/form-data POST request. This allows remote code execution on the server, potentially leading to full system compromise. The vulnerability is presumed to affect builds released prior to July 2025 and is said to be remediated in newer versions of the product, though the exact affected range remains undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-07-23 UTC.

27 Aug 2025, 22:15

Type Values Removed Values Added
New CVE

Information

Published : 2025-08-27 22:15

Updated : 2026-06-17 09:13


NVD link : CVE-2025-34163

Mitre link : CVE-2025-34163

CVE.ORG link : CVE-2025-34163


JSON object : View

Products Affected

No product.

CWE
CWE-434

Unrestricted Upload of File with Dangerous Type