CVE-2025-34163

CRITICAL EXPLOITED

Dongsheng Logistics Software < pre-July 2025 - Unauthenticated Arbitrary File Upload

Title source: llm

Exploitation Summary

CVE-2025-34163 has been observed exploited in the wild (reported by VulnCheck KEV).

Description

Dongsheng Logistics Software exposes an unauthenticated endpoint at /CommMng/Print/UploadMailFile that fails to enforce proper file type validation and access control. An attacker can upload arbitrary files, including executable scripts such as .ashx, via a crafted multipart/form-data POST request. This allows remote code execution on the server, potentially leading to full system compromise. The vulnerability is presumed to affect builds released prior to July 2025 and is remediated in newer versions of the product, though the exact affected range remains undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-07-23 UTC.

References (3)

Core 3

Core References

Various Sources technical-description exploit

https://cn-sec.com/archives/4243708.html

Various Sources product patch

http://www.dongshengsoft.com/

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/dongsheng-logisitics-software-unauth-arbitrary-file-upload

Scores

CVSS v4 10.0

EPSS 0.0061

EPSS Percentile 44.5%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2025-07-23

CWE

CWE-434

Status published

Products (1)

Qingdao Dongsheng Weiye Software Co., Ltd./Dongsheng Logistics Software < pre-July 2025 builds

Published Aug 27, 2025

Tracked Since Feb 18, 2026