A critical vulnerability has been identified in multiple WMPro products developed by Sunnet, tracked as CVE-2025-15226. This flaw allows an unauthenticated remote attacker to upload malicious files, leading to arbitrary code execution and a complete compromise of the affected server. Due to the ease of exploitation and severe impact, immediate remediation is required to prevent potential data breaches, service disruption, and further network intrusion.

The vulnerability is an Arbitrary File Upload flaw within the WMPro software. The application fails to properly validate files uploaded by users, allowing an unauthenticated attacker to bypass security restrictions. An attacker can exploit this by crafting and sending a request containing a malicious file, such as a web shell (e.g., a PHP or ASPX script), to the server. Once the file is successfully uploaded to a web-accessible directory, the attacker can access it via a URL, triggering the server to execute the embedded code and granting the attacker remote command execution capabilities with the privileges of the web server's service account.

This vulnerability is rated as critical severity with a CVSS score of 9.8, reflecting the extreme risk it poses to the organization. Successful exploitation results in a complete compromise of the server's confidentiality, integrity, and availability. An attacker could exfiltrate sensitive corporate or customer data, install ransomware, deface the organization's website, or use the compromised server as a pivot point to attack other systems within the internal network. The potential consequences include significant financial losses, severe reputational damage, operational downtime, and possible regulatory fines.

Immediate Action: The primary remediation is to immediately update all affected WMPro products to the latest version provided by the vendor, Sunnet, which addresses this vulnerability. After patching, verify that the update was successful and the vulnerability is no longer present.

Proactive Monitoring: System administrators should actively monitor for signs of exploitation. Review web server access logs for unusual POST requests to file upload endpoints and look for attempts to access suspicious files (e.g., with extensions like .php, .jsp, .aspx, .sh). Monitor for unexpected files appearing in web directories, outbound network connections from the server to unknown destinations, and any unusual processes running under the web server's user context.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls:

• Deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block malicious file uploads based on file signatures, extensions, and content.
• Restrict file permissions on the web server's upload directories to prevent script execution.
• If the file upload functionality is not a critical business requirement, consider disabling it entirely until a patch can be applied.
• Enhance network segmentation to limit the potential impact of a compromise by isolating the affected server from critical internal resources.

Public Exploit Available: false

This vulnerability represents a critical and immediate threat to the organization. Due to the 9.8 CVSS score and the potential for unauthenticated remote code execution, all affected WMPro instances must be patched on an emergency basis. Although this CVE is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, its severity makes it a likely candidate for future inclusion. We strongly recommend prioritizing the vendor-supplied updates above all other patching activities. If patching is delayed for any reason, compensating controls must be implemented immediately to reduce the risk of a full system compromise.