CVE-2025-15228
CRITICAL WAF: Medium
CVSS 9.8
Published: 2025-12-29
CWE-434
BPMFlowWebkit developed by WELLTEND TECHNOLOGY has a Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.
WAF Coverage Analysis
Unrestricted File Upload
Medium WAF Coverage
OWASP: A04:2021 Insecure Design
930xxx - Local File Inclusion
Affected Software
| Vendor | Product | Version |
|---|---|---|
| welltend | bpmflowwebkit | up to 5.0.5 |
References
- www.twcert.org.tw (Third Party Advisory)
- www.twcert.org.tw (Third Party Advisory)