A high-severity vulnerability, identified as CVE-2025-12867, has been discovered in the Hundred Plus EIP Plus software. This flaw allows a remote attacker with existing user privileges to upload malicious files, which can then be executed to gain full control over the affected server. Successful exploitation could lead to a complete system compromise, data theft, and significant service disruption.

This is an Arbitrary File Upload vulnerability. The application fails to properly validate files uploaded by users, allowing an authenticated attacker with sufficient privileges to upload a file with a dangerous type, such as a web shell (.php, .aspx, etc.). Once the malicious file is on the server, the attacker can navigate to it via a URL, causing the server to execute the code within the file. This provides the attacker with a backdoor for arbitrary code execution with the privileges of the web server process, enabling them to take control of the system.

This vulnerability is rated as High severity with a CVSS score of 7.2. A successful exploit could have a severe impact on the business, leading to a complete compromise of the application server. Potential consequences include the theft of sensitive corporate data, intellectual property, or customer information; disruption of business operations reliant on the EIP Plus platform; and significant reputational damage. The compromised server could also be used as a pivot point to launch further attacks against the internal network, escalating the overall risk to the organization.

Immediate Action: Apply the security updates provided by the vendor immediately to all affected systems. After patching, review web server and application logs for any signs of past exploitation attempts, such as suspicious file uploads or unusual requests to non-existent pages that might indicate a web shell.

Proactive Monitoring:

• Log Analysis: Scrutinize web server access logs for POST requests to file upload endpoints. Look for uploads of files with executable extensions (e.g., .php, .jsp, .aspx, .sh) or multiple extensions (e.g., shell.php.jpg).
• File Integrity Monitoring (FIM): Implement or verify FIM on web server directories to detect the creation of new, unauthorized files.
• Network Traffic: Monitor for anomalous outbound connections from the server, as this could indicate a web shell communicating with an attacker's command-and-control server.

Compensating Controls: If patching cannot be performed immediately, implement the following controls to reduce risk:

• Web Application Firewall (WAF): Deploy a WAF with rules to strictly filter file uploads, blocking files based on extension, MIME type, and content inspection.
• Access Control: Restrict file upload functionality to the minimum number of trusted administrative users necessary.
• Disable Execution: Configure the web server to prevent script execution in directories where files are uploaded.

Public Exploit Available: false

Given the high severity (CVSS 7.2) and the potential for complete system compromise, it is strongly recommended that the organization prioritizes the immediate application of the vendor-supplied security patches. Although this vulnerability is not currently listed on the CISA KEV catalog, its critical impact warrants urgent action. If patching is delayed for any reason, the compensating controls outlined above, particularly the use of a WAF and heightened monitoring, should be implemented as a temporary mitigation.