CVE-2025-10755 is a medium-severity vulnerability identified in Selleo Mentingo version 2025.08.27, specifically within an unspecified function of the Content-Type Handler component. The vulnerability arises from improper validation or restriction of the 'userAvatar' argument, which allows an attacker to perform an unrestricted file upload remotely. This means that an attacker can upload arbitrary files to the server without authentication or user interaction, potentially leading to the execution of malicious code, defacement, or further compromise of the system. The vulnerability does not require prior authentication (PR:L) or user interaction (UI:N), and the attack vector is network-based (AV:N), making it accessible remotely. The CVSS 4.0 vector indicates low complexity (AC:L) and partial impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L), suggesting that while the exploit can lead to some data exposure or modification, the overall impact is limited by the scope of the vulnerability or existing mitigations. The vendor, Selleo, was contacted but did not respond, and no patches or mitigations have been publicly released as of the publication date. Although the exploit is public, there are no known exploits in the wild yet. The lack of patch availability and vendor response increases the risk for organizations using this product, as attackers can leverage this vulnerability to gain unauthorized access or deploy malware through uploaded files. The vulnerability's root cause is the failure to properly validate or restrict file uploads via the userAvatar parameter, which is commonly used for user profile images, making it a likely target for attackers to upload web shells or other malicious payloads.

For European organizations using Selleo Mentingo 2025.08.27, this vulnerability poses a significant risk of unauthorized remote code execution or system compromise through malicious file uploads. The ability to upload arbitrary files without authentication can lead to data breaches, service disruption, or lateral movement within the network. Organizations in sectors such as finance, healthcare, government, and critical infrastructure that rely on this software for user profile management or content handling could face confidentiality breaches, integrity violations, and availability issues. The absence of vendor patches and the public availability of exploit details increase the likelihood of targeted attacks. Additionally, compliance with GDPR and other data protection regulations could be jeopardized if personal data is exposed or systems are compromised due to this vulnerability. The medium severity rating suggests that while the vulnerability is exploitable, the overall damage might be limited by other security controls; however, the risk remains substantial given the ease of exploitation and lack of authentication requirements.

European organizations should immediately implement compensating controls to mitigate the risk posed by this vulnerability. These include: 1) Restricting or disabling the userAvatar upload functionality if feasible until a patch is available. 2) Implementing strict input validation and file type restrictions at the web server or application firewall level to block unauthorized file types and potentially malicious payloads. 3) Employing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious upload attempts targeting the userAvatar parameter. 4) Monitoring logs for unusual upload activity or attempts to exploit this vulnerability. 5) Isolating the affected application environment to limit potential lateral movement in case of compromise. 6) Conducting regular security assessments and penetration testing focused on file upload functionalities. 7) Engaging with Selleo for updates or patches and subscribing to vulnerability advisories for timely remediation. 8) Educating IT and security teams about this vulnerability to ensure rapid detection and response to any exploitation attempts.