CVE-2025-34350

HIGH

UnForm Server <10.1.15 - Info Disclosure

Title source: llm

Description

UnForm Server versions < 10.1.15 contain an unauthenticated arbitrary file read and SMB coercion vulnerability in the Doc Flow feature’s 'arc' endpoint. The Doc Flow module uses the 'arc' handler to retrieve and render pages or resources specified by the user-supplied 'pp' parameter, but it does so without enforcing authentication or restricting path inputs. As a result, an unauthenticated remote attacker can supply local filesystem paths to read arbitrary files accessible to the service account. On Windows deployments, providing a UNC path can also coerce the server into initiating outbound SMB authentication, potentially exposing NTLM credentials for offline cracking or relay. This issue may lead to sensitive information disclosure and, in some environments, enable further lateral movement.

References (2)

Core 2

Core References

Various Sources release-notes patch

https://unform.com/download/uf101_readme.txt

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/unform-server-doc-flow-unauthenticated-file-read

Scores

CVSS v4 8.7

EPSS 0.0076

EPSS Percentile 50.4%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-22 CWE-918

Status published

Products (1)

Synergetic Data Systems, Inc./UnForm Server < 10.1.15

Published Nov 25, 2025

Tracked Since Feb 18, 2026