CVE-2025-12346 is a vulnerability identified in MaxSite CMS up to version 109, specifically within the HTTP Header Handler component located in application/maxsite/admin/plugins/auto_post/uploads-require-maxsite.php. The vulnerability arises from improper handling of the HTTP headers X-Requested-FileName and X-Requested-FileUpDir, which an attacker can manipulate to perform unrestricted file uploads. This means an attacker can upload arbitrary files, including potentially malicious scripts, without authentication or user interaction. The vulnerability is remotely exploitable over the network, making it a significant risk for any publicly accessible MaxSite CMS installations. The vendor was contacted prior to public disclosure but did not respond or provide a patch, and currently, no official fix is available. Public exploit code has been released, increasing the likelihood of exploitation in the wild. The CVSS 4.0 base score is 5.3 (medium severity), reflecting the vulnerability's network attack vector, low complexity, no required privileges or user interaction, and limited impact on confidentiality, integrity, and availability. However, unrestricted file upload vulnerabilities are often leveraged for remote code execution, website defacement, data theft, or pivoting within networks, which can escalate the impact beyond the initial score. The lack of vendor response and patch availability heightens the urgency for affected organizations to implement mitigations.

For European organizations, this vulnerability poses a significant risk to the security of websites and web applications running MaxSite CMS version 109. Successful exploitation can lead to arbitrary file uploads, enabling attackers to execute malicious code, deface websites, steal sensitive data, or establish persistent footholds within the network. This can result in data breaches, service disruptions, reputational damage, and potential regulatory penalties under GDPR if personal data is compromised. Public-facing websites of government agencies, financial institutions, and critical infrastructure operators using MaxSite CMS are particularly vulnerable. The presence of public exploit code increases the likelihood of opportunistic attacks, including automated scanning and exploitation by cybercriminals or state-sponsored actors. The medium CVSS score may underestimate the real-world impact if attackers achieve remote code execution. Additionally, the vendor's lack of response and absence of patches prolong the exposure window, increasing risk for European entities relying on this CMS platform.

1. Immediately restrict or disable the vulnerable HTTP Header Handler component or the specific file uploads-require-maxsite.php if feasible. 2. Implement strict input validation and sanitization for HTTP headers, especially X-Requested-FileName and X-Requested-FileUpDir, to prevent manipulation. 3. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious upload attempts targeting these headers. 4. Monitor web server logs for unusual file upload activity or access patterns related to the vulnerable component. 5. Isolate MaxSite CMS installations in segmented network zones to limit lateral movement if compromised. 6. Regularly back up website data and configurations to enable rapid recovery. 7. Consider migrating to alternative CMS platforms with active vendor support if patching is not forthcoming. 8. Stay alert for any future patches or vendor advisories and apply updates promptly. 9. Conduct penetration testing focused on file upload functionalities to identify residual risks. 10. Educate web administrators about the risks of unrestricted file uploads and secure configuration best practices.