Skip to main content

Mingsoft MCMS CVE-2025-60838

MEDIUM
Command Injection (CWE-77)
2025-10-10 cve@mitre.org
6.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
9.9 CRITICAL

File upload to web shell execution warrants C:H/I:H/A:H with scope change; PR:L used because CMS upload endpoints typically require at minimum contributor-level authentication, pending vendor confirmation of PR:N.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 04:10 vuln.today

DescriptionCVE.org

An arbitrary file upload vulnerability in MCMS v6.0.1 allows attackers to execute arbitrary code via uploading a crafted file.

AnalysisAI

Arbitrary file upload in Mingsoft MCMS v6.0.1 enables remote code execution on the underlying server by uploading a crafted file - likely a JSP web shell - to a reachable endpoint. The NVD-assigned CVSS score of 6.5 with C:L/I:L impact subscores is materially inconsistent with the stated code execution impact, and this discrepancy should be independently verified. No public exploit has been confirmed as actively exploited per CISA KEV, though a Gist-based reference in NVD data may represent a proof-of-concept; EPSS is low at 0.28% (20th percentile), suggesting no widespread scanning or exploitation observed at time of analysis.

Technical ContextAI

MCMS (Mingsoft CMS) is a Java-based content management system developed by Mingsoft, with the affected product identified via CPE cpe:2.3:a:mingsoft:mcms:*:*:*:*:*:*:*:* (all versions, specifically v6.0.1 per the description). The root cause is classified as CWE-77 (Improper Neutralization of Special Elements Used in a Command), which - combined with the 'file upload' description and 'Command Injection' tag - indicates the uploaded file is subsequently invoked in a command or script execution context. In Java CMS deployments on Tomcat, this commonly manifests as uploading a .jsp web shell to a web-accessible directory where the servlet container executes it upon HTTP retrieval. The upload mechanism fails to enforce strict file type allowlisting or store files outside the web root, both standard defenses against this class of vulnerability.

RemediationAI

No vendor-released patched version has been independently confirmed from available data - the Gitee repository at https://gitee.com/mingSoft/MCMS should be monitored for upstream commits or tagged releases addressing this issue; any such fix version should be verified before deployment. As immediate compensating controls: restrict file upload endpoints to authenticated and authorized roles only, even if CVSS PR:N is taken at face value. Implement strict server-side file extension and MIME-type allowlisting, blocking .jsp, .jspx, .sh, .php, and similar executable types at the application layer - note that allowlisting introduces maintenance overhead when legitimate file types are added. Store all uploaded files outside the web root or in a directory served without execute permissions, which eliminates direct web shell retrieval without disrupting storage functionality. Deploy a WAF rule to block multipart uploads of executable MIME types. Enable alerting on unexpected file creation events in web-accessible directories.

More in Mcms

View all
CVE-2025-29287 CRITICAL POC
9.8 Apr 21

An arbitrary file upload vulnerability in the ueditor component of MCMS v5.4.3 allows attackers to execute arbitrary cod

CVE-2023-50578 CRITICAL POC
9.8 Dec 30

Mingsoft MCMS v5.2.9 was discovered to contain a SQL injection vulnerability via the categoryType parameter at /content/

CVE-2022-4375 CRITICAL POC
9.8 Dec 09

A vulnerability was found in Mingsoft MCMS up to 5.2.9. Rated critical severity (CVSS 9.8), this vulnerability is remote

CVE-2022-36599 CRITICAL POC
9.8 Aug 16

Mingsoft MCMS 5.2.8 was discovered to contain a SQL injection vulnerability in /mdiy/model/delete URI via models Lists.

CVE-2022-36272 CRITICAL POC
9.8 Aug 16

Mingsoft MCMS 5.2.8 was discovered to contain a SQL injection vulnerability in /mdiy/page/verify URI via fieldName param

CVE-2022-31943 CRITICAL POC
9.8 Jul 01

MCMS v5.2.8 was discovered to contain an arbitrary file upload vulnerability. Rated critical severity (CVSS 9.8), this v

CVE-2022-30506 CRITICAL POC
9.8 Jun 02

An arbitrary file upload vulnerability was discovered in MCMS 5.2.7, allowing an attacker to execute arbitrary code thro

CVE-2022-30048 CRITICAL POC
9.8 May 11

Mingsoft MCMS 5.2.7 was discovered to contain a SQL injection vulnerability in /mdiy/dict/list URI via orderBy parameter

CVE-2022-30047 CRITICAL POC
9.8 May 11

Mingsoft MCMS v5.2.7 was discovered to contain a SQL injection vulnerability in /mdiy/dict/listExcludeApp URI via orderB

CVE-2022-27466 CRITICAL POC
9.8 May 02

MCMS v5.2.27 was discovered to contain a SQL injection vulnerability in the orderBy parameter at /dict/list.do. Rated cr

CVE-2022-26585 CRITICAL POC
9.8 Apr 05

Mingsoft MCMS v5.2.7 was discovered to contain a SQL injection vulnerability via /cms/content/list. Rated critical sever

CVE-2022-25125 CRITICAL POC
9.8 Mar 03

MCMS v5.2.4 was discovered to contain a SQL injection vulnerability via search.do in the file /mdiy/dict/listExcludeApp.

Share

CVE-2025-60838 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy