- **CVE ID**: CVE-2025-65806 - **Author**: Kacper Zabiegaj - **Severity**: Medium - **Affected Product**: E-POINT CMS - **Affected Version**: eagle.gsam-1169.1 - **Vendor**: E-POINT SA - **Attack Vector**: Remote - **Confirmed by Vendor**: Yes ### Summary A vulnerability in the E-POINT CMS file upload mechanism allows an attacker to bypass file type validation by uploading nested archive files (e.g., a ZIP containing another ZIP). As a result, files of any type (including normally disallowed extensions) can be extracted on the server. Although this does not automatically lead to Remote Code Execution (RCE), it could enable RCE or further compromise if the server is misconfigured to execute files from the upload directory. The vulnerability stems from insufficient validation of nested archive contents and lack of proper restrictions on what files can be extracted. ### Description The File Manager module in E-POINT CMS performs checks on uploaded ZIP files to block unauthorized file types. However, when a ZIP archive contains another ZIP, only the outer archive is validated, and the inner archive is not inspected. ### Example ``` outer.zip └── inner.zip └── payload.php ``` When uploaded, the application accepts archives, but they are manually extracted by the user after upload. Because the server does not validate the contents of the extracted files, any file placed inside the archive (regardless of extension) ends up being stored on the server, resulting in an arbitrary file upload vulnerability. ### Impact - Upload of arbitrary files to the server - Bypassing existing file type restrictions - Potential RCE if server configuration allows execution of uploaded files - Potential privilege escalation or data exposure ### Attack Prerequisites - Attacker must be able to upload files (access to file manager) - No special privileges beyond upload rights are required ### Mitigation / Recommendations - Inspect the contents of all nested archives, not just the top-level ZIP - Reject multi-layered archives, unless explicitly required - Enforce file extension and MIME validation after extraction - Prevent extraction into web-accessible directories ### Timeline - Vulnerability discovered: 7 November 2025 - Vendor notified: Yes - Vendor confirmed: Yes - CVE assigned: CVE-2025-65806 ### References - Product page: https://www.e-point.pl/produkty/e-point-cms - CVE (pending public state)