Mingsoft MCMS CVE-2025-60838
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
File upload to web shell execution warrants C:H/I:H/A:H with scope change; PR:L used because CMS upload endpoints typically require at minimum contributor-level authentication, pending vendor confirmation of PR:N.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
An arbitrary file upload vulnerability in MCMS v6.0.1 allows attackers to execute arbitrary code via uploading a crafted file.
AnalysisAI
Arbitrary file upload in Mingsoft MCMS v6.0.1 enables remote code execution on the underlying server by uploading a crafted file - likely a JSP web shell - to a reachable endpoint. The NVD-assigned CVSS score of 6.5 with C:L/I:L impact subscores is materially inconsistent with the stated code execution impact, and this discrepancy should be independently verified. No public exploit has been confirmed as actively exploited per CISA KEV, though a Gist-based reference in NVD data may represent a proof-of-concept; EPSS is low at 0.28% (20th percentile), suggesting no widespread scanning or exploitation observed at time of analysis.
Technical ContextAI
MCMS (Mingsoft CMS) is a Java-based content management system developed by Mingsoft, with the affected product identified via CPE cpe:2.3:a:mingsoft:mcms:*:*:*:*:*:*:*:* (all versions, specifically v6.0.1 per the description). The root cause is classified as CWE-77 (Improper Neutralization of Special Elements Used in a Command), which - combined with the 'file upload' description and 'Command Injection' tag - indicates the uploaded file is subsequently invoked in a command or script execution context. In Java CMS deployments on Tomcat, this commonly manifests as uploading a .jsp web shell to a web-accessible directory where the servlet container executes it upon HTTP retrieval. The upload mechanism fails to enforce strict file type allowlisting or store files outside the web root, both standard defenses against this class of vulnerability.
RemediationAI
No vendor-released patched version has been independently confirmed from available data - the Gitee repository at https://gitee.com/mingSoft/MCMS should be monitored for upstream commits or tagged releases addressing this issue; any such fix version should be verified before deployment. As immediate compensating controls: restrict file upload endpoints to authenticated and authorized roles only, even if CVSS PR:N is taken at face value. Implement strict server-side file extension and MIME-type allowlisting, blocking .jsp, .jspx, .sh, .php, and similar executable types at the application layer - note that allowlisting introduces maintenance overhead when legitimate file types are added. Store all uploaded files outside the web root or in a directory served without execute permissions, which eliminates direct web shell retrieval without disrupting storage functionality. Deploy a WAF rule to block multipart uploads of executable MIME types. Enable alerting on unexpected file creation events in web-accessible directories.
An arbitrary file upload vulnerability in the ueditor component of MCMS v5.4.3 allows attackers to execute arbitrary cod
Mingsoft MCMS v5.2.9 was discovered to contain a SQL injection vulnerability via the categoryType parameter at /content/
A vulnerability was found in Mingsoft MCMS up to 5.2.9. Rated critical severity (CVSS 9.8), this vulnerability is remote
Mingsoft MCMS 5.2.8 was discovered to contain a SQL injection vulnerability in /mdiy/model/delete URI via models Lists.
Mingsoft MCMS 5.2.8 was discovered to contain a SQL injection vulnerability in /mdiy/page/verify URI via fieldName param
MCMS v5.2.8 was discovered to contain an arbitrary file upload vulnerability. Rated critical severity (CVSS 9.8), this v
An arbitrary file upload vulnerability was discovered in MCMS 5.2.7, allowing an attacker to execute arbitrary code thro
Mingsoft MCMS 5.2.7 was discovered to contain a SQL injection vulnerability in /mdiy/dict/list URI via orderBy parameter
Mingsoft MCMS v5.2.7 was discovered to contain a SQL injection vulnerability in /mdiy/dict/listExcludeApp URI via orderB
MCMS v5.2.27 was discovered to contain a SQL injection vulnerability in the orderBy parameter at /dict/list.do. Rated cr
Mingsoft MCMS v5.2.7 was discovered to contain a SQL injection vulnerability via /cms/content/list. Rated critical sever
MCMS v5.2.4 was discovered to contain a SQL injection vulnerability via search.do in the file /mdiy/dict/listExcludeApp.
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today