Specto CM CVE-2025-2155
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unrestricted Upload of File with Dangerous Type vulnerability in Echo Call Center Services Trade and Industry Inc. Specto CM allows Remote Code Inclusion.
This issue affects Specto CM: before 17032025.
AnalysisAI
Remote code execution in Specto CM versions before 17032025 allows authenticated attackers to upload files with dangerous types, leading to arbitrary code inclusion on the server. The flaw, tracked as CVE-2025-2155 and reported by Turkey's USOM CERT, carries a high CVSS score of 8.8 and stems from missing validation on uploaded file types. No public exploit identified at time of analysis, and the EPSS exploitation probability remains low at 0.07%.
Technical ContextAI
Specto CM is a customer/contact management platform developed by Echo Call Center Services Trade and Industry Inc., typically deployed by call center operators in Turkey. The vulnerability falls under CWE-434 (Unrestricted Upload of File with Dangerous Type), a root cause class where the application accepts user-supplied files without adequately validating their extension, MIME type, or actual content. When an attacker uploads a server-executable file (such as a PHP, ASPX, or JSP script) into a web-accessible directory, the web server interprets and executes it on subsequent requests, achieving remote code inclusion. This is one of the most consistently exploited weaknesses in web applications because the fix requires layered validation (extension allowlist, content inspection, storage outside webroot) which many vendors implement incompletely.
Affected ProductsAI
Specto CM by Echo Call Center Services Trade and Industry Inc. in all versions prior to 17032025 (a date-based versioning scheme indicating builds before March 17, 2025) is affected. No CPE string was provided in the input data to confirm exact product identifiers. The Turkish national CERT advisory at https://www.usom.gov.tr/bildirim/tr-25-0480 and the mirror at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0480 are the only authoritative references identified.
RemediationAI
Upgrade Specto CM to version 17032025 or later as the primary remediation, following the vendor guidance referenced in the USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0480. If immediate upgrade is not feasible, restrict access to the file upload endpoints to trusted authenticated users only via network-level controls (IP allowlist or VPN), and configure the web server to deny execution of scripts (PHP/ASPX/JSP) in any directory that receives user uploads - note that this may break legitimate functionality if the application relies on dynamic content in upload directories. Additionally, deploy a web application firewall rule to inspect multipart upload requests for executable file extensions and double-extension bypasses, accepting the trade-off of potential false positives on legitimate binary attachments. Monitor application and web server logs for newly created files in upload paths and anomalous outbound connections from the application server.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today