CVE-2025-28168 is a medium-severity vulnerability affecting the Multiple File Upload add-on component version 3.1.0 for OutSystems, a popular low-code development platform. The vulnerability arises due to improper enforcement of file upload restrictions solely on the client side. Specifically, the component relies on client-side validation to restrict file extensions and file sizes during uploads. However, this validation can be bypassed by an attacker who intercepts and modifies the upload request parameters, allowing arbitrary files to be uploaded to the server. This type of vulnerability is classified under CWE-602, which refers to client-side enforcement of server-side security, a common security anti-pattern. Since the validation is not enforced on the server side, malicious actors can upload files that may contain malware, web shells, or other harmful payloads. Although the component is a third-party add-on and not officially supplied or supported by OutSystems, many organizations using OutSystems may incorporate this component, exposing themselves to risk. The CVSS 3.1 base score is 6.4 (medium severity), with an attack vector of network (remote exploitation), low attack complexity, requiring low privileges but no user interaction, and impacting confidentiality and integrity with no impact on availability. No known exploits are currently reported in the wild, and no patches have been published yet. The vulnerability’s scope is considered changed (S:C) because the exploit could affect resources beyond the vulnerable component itself, potentially leading to broader compromise depending on the uploaded file’s nature and server configuration.

For European organizations using OutSystems with the vulnerable Multiple File Upload add-on, this vulnerability poses a significant risk. Successful exploitation could allow attackers to upload malicious files such as web shells or scripts that enable remote code execution, data exfiltration, or lateral movement within the network. This threatens the confidentiality and integrity of sensitive data and could lead to unauthorized access to internal systems. The absence of server-side validation means that even users with limited privileges could exploit this flaw remotely without user interaction, increasing the attack surface. Given the widespread adoption of OutSystems in Europe for enterprise applications, especially in sectors like finance, healthcare, and public administration, the potential impact includes regulatory non-compliance (e.g., GDPR violations), operational disruption, and reputational damage. The lack of a patch means organizations must rely on compensating controls until an official fix is available. Although no active exploitation has been reported, the vulnerability’s nature makes it a likely target for attackers seeking to gain initial footholds or escalate privileges in compromised environments.

1. Immediate mitigation should focus on implementing server-side validation for all file uploads, ensuring that file extensions, MIME types, and file sizes are strictly checked on the server regardless of client-side checks. 2. Employ a whitelist approach for allowed file types rather than blacklisting to minimize the risk of malicious uploads. 3. Use sandboxing or isolated storage locations for uploaded files with strict access controls to prevent execution or access by unauthorized users. 4. Monitor and log all file upload activities, including failed and successful attempts, to detect suspicious behavior promptly. 5. Restrict privileges of the application process handling uploads to minimize potential damage if exploitation occurs. 6. If possible, temporarily disable or replace the vulnerable component with a secure alternative until an official patch or update is released by the third-party vendor. 7. Conduct regular security assessments and penetration tests focusing on file upload functionalities. 8. Educate developers and administrators about the risks of client-side-only validation and enforce secure coding practices. 9. Implement Web Application Firewalls (WAFs) with rules to detect and block suspicious file upload attempts targeting this component.