A critical vulnerability has been identified in multiple products, allowing an unauthenticated remote attacker to upload files to arbitrary locations on the server. This flaw, tracked as CVE-2025-41723, can be exploited to gain complete control of the affected system, leading to significant data breaches, service disruption, and further network compromise. Immediate patching is required to mitigate this high-risk threat.

The vulnerability exists within the importFile SOAP method, which fails to properly sanitize user-supplied path information. An unauthenticated remote attacker can craft a malicious SOAP request containing a filename with directory traversal sequences (e.g., ../../). The application processes this input without validation, allowing the attacker to bypass the intended file upload directory and write a file to any location on the server's filesystem that the application's user has write permissions for. This could be used to upload a web shell, overwrite critical system files, or place malicious scripts, ultimately leading to Remote Code Execution (RCE).

This vulnerability is rated as critical with a CVSS score of 9.8, reflecting the ease of exploitation and the potential for severe impact. Successful exploitation could grant an attacker complete control over the affected server. The primary business risks include the theft of sensitive corporate data, customer information, or intellectual property; disruption of business-critical services hosted on the server; and significant reputational damage. A compromised server could also be used as a foothold to launch further attacks against the internal network, escalating the security incident.

Immediate Action: The primary remediation is to apply the security patches provided by the vendor immediately. Upgrade all instances of the affected products to the latest secure version. After patching, review server access logs and filesystem for any signs of compromise that may have occurred prior to the update.

Proactive Monitoring:

• Monitor web server and application logs for incoming requests to the importFile SOAP endpoint, specifically looking for payloads containing path traversal sequences like ../ or ..\.
• Implement File Integrity Monitoring (FIM) on critical systems to detect the creation of unexpected files in sensitive directories (e.g., web root, system directories).
• Monitor for outbound network connections from the affected servers to unknown or suspicious IP addresses, which could indicate a successful compromise.

Compensating Controls: If immediate patching is not feasible, implement the following controls as a temporary measure:

• Deploy a Web Application Firewall (WAF) with rules specifically designed to block requests containing directory traversal patterns targeting the vulnerable SOAP method.
• Restrict network access to the vulnerable endpoint, allowing connections only from trusted IP addresses.
• Ensure the application is running with the lowest possible user privileges to limit the directories an attacker could write to.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the risk of unauthenticated Remote Code Execution, this vulnerability represents a severe and immediate threat to the organization. We strongly recommend that all affected systems be patched on an emergency basis. Although this CVE is not currently on the CISA KEV list, its characteristics make it a prime candidate for future inclusion. Organizations should prioritize this remediation effort above all other routine patching activities and assume it will be actively exploited soon.