A critical vulnerability has been identified in the 7oroof Medcity software, assigned CVE-2025-58963, with a CVSS score of 9.8. This flaw allows an unauthenticated attacker to upload a malicious file, such as a web shell, directly to the server. Successful exploitation could result in a complete compromise of the affected server, leading to data theft, service disruption, and further network intrusion.

The software contains an Unrestricted Upload of File with Dangerous Type vulnerability. The file upload functionality does not properly validate the type or content of files being uploaded, allowing an attacker to upload an executable script (e.g., a PHP, ASP, or JSP file) disguised as a benign file type like an image. Once the malicious file is on the server, the attacker can access it via its URL, causing the web server to execute the code within the file, granting the attacker remote command execution capabilities.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation could lead to a complete compromise of the web server's confidentiality, integrity, and availability. Potential consequences include theft of sensitive data (e.g., patient information, corporate data), deployment of ransomware, website defacement, and the use of the compromised server as a pivot point to attack other internal systems. This poses a severe reputational, financial, and operational risk to the organization.

Immediate Action: Update the 7oroof Medcity software to version 1.1.9 or the latest available version which addresses this vulnerability. After patching, conduct a thorough review of access logs and the file system for any signs of prior exploitation or suspicious uploaded files.

Proactive Monitoring: Monitor web server and application logs for suspicious file upload attempts, especially for files with script extensions (.php, .aspx, .jsp) being uploaded to unexpected directories. Monitor for outbound network connections from the web server to unusual IP addresses, which could indicate a successful web shell compromise. File Integrity Monitoring (FIM) should be used to detect the creation of unauthorized files in web-accessible directories.

Compensating Controls: If immediate patching is not feasible, implement the following controls:

• Deploy a Web Application Firewall (WAF) with rules to inspect and block malicious file uploads.
• Configure the web server to disallow script execution in directories where files are uploaded.
• Restrict file upload functionality to only authenticated and trusted users.
• Scan uploaded files with antivirus/antimalware solutions before they are saved to the server.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the high impact of a successful attack, immediate action is required. Organizations must prioritize applying the vendor-supplied patch to all affected Medcity instances. Although this vulnerability is not currently on the CISA KEV list, its severity makes it a prime target for opportunistic attackers. If patching cannot be performed immediately, the compensating controls listed above should be implemented as a matter of urgency to mitigate the risk of a full system compromise.