CVE Alert: CVE-2025-12867 - Hundred Plus - EIP Plus

CVE-2025-12867

HIGHNo exploitation known

EIP Plus developed by Hundred Plus has an Arbitrary File Uplaod vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.

CVSS v3.1 (7.2)

AV NETWORK · AC LOW · PR HIGH · UI NONE · S UNCHANGED

Vendor

Hundred Plus

Product

EIP Plus

Versions

0 lt RELEASE_240626

CWE

CWE-434, CWE-434 Unrestricted Upload of File with Dangerous Type

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Published

2025-11-10T03:02:49.313Z

Updated

2025-11-10T03:02:49.313Z

References

https://www.twcert.org.tw/tw/cp-132-10490-2534b-1.html

https://www.twcert.org.tw/en/cp-139-10491-004b0-2.html

AI Summary Analysis

Risk verdict

High risk with potential for remote web shell upload and code execution; treat as a priority if the system is externally accessible.

Why this matters

No user interaction is required and the flaw is exploitable over the network, enabling an attacker to compromise the server unnoticed. The impact spans confidentiality, integrity, and availability, raising the likelihood of data theft, tampering, or service disruption.

Most likely attack path

An attacker with network access targets the vulnerable upload endpoint and, leveraging the elevated privileges required by the flaw, uploads a malicious payload to gain code execution. Once a web shell is deployed, moves within the host or to adjacent services may be possible if permissions permit. The lack of user interaction lowers the barrier, but the need for high privileges constrains initial access.

Who is most exposed

Deployments with internet-facing web endpoints that accept file uploads are at greatest risk, especially where upload handling or permissions are poorly restricted; common in externally accessible web apps or hosted services with web-based admin interfaces.

Detection ideas

Unusual or large file uploads to the web-facing upload path
New or modified files in webroot or application directories shortly after access attempts
Web server access logs showing repeated POSTs to upload endpoints from anomalous IPs
Known web shell indicators or unusual payloads in upload archives
Sudden spikes in elevated-privilege activity on the host

Mitigation and prioritisation

Apply patch to release 240626 or later immediately.
Disable or tightly restrict file upload functionality; enforce strict whitelisting of allowed file types.
Implement robust server-side validation, scanning, and storage isolation for uploaded files.
Enforce least-privilege for the process/service and strengthen authentication for upload endpoints; consider WAF/rate limiting.
Change-management: test the patch in staging, roll out during maintenance window; monitor post-deploy for anomalies. If KEV true or EPSS ≥ 0.5, treat as priority 1.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: CVE, cve-2025-12867, eip-plus, hundred-plus, OSINT, threatintel