CVE-2025-28168 is a medium severity vulnerability affecting the Multiple File Upload add-on component version 3.1.0 for OutSystems, a low-code development platform. The vulnerability arises because the component enforces file extension and size validation solely on the client side. This means that an attacker can intercept the file upload request and manipulate parameters to bypass these client-side restrictions, allowing the upload of arbitrary files without server-side validation. This type of vulnerability is classified under CWE-602 (Client-Side Enforcement of Server-Side Security) and CWE-434 (Unrestricted Upload of File with Dangerous Type). Since the validation is not enforced on the server, malicious files such as web shells, scripts, or executables can be uploaded, potentially leading to unauthorized code execution, data leakage, or further compromise of the affected system. The vulnerability requires low privileges (PR:L) but no user interaction (UI:N) and can be exploited remotely (AV:N). The scope is changed (S:C), indicating that the vulnerability affects resources beyond the initially vulnerable component. The CVSS v3.1 base score is 6.4, reflecting a medium severity level with partial impact on confidentiality and integrity but no impact on availability. Notably, this is a third-party component not supplied or supported by OutSystems, which may complicate patch management and vendor coordination. No patches or known exploits in the wild have been reported as of the publication date (May 5, 2025).

For European organizations using the OutSystems platform with the vulnerable Multiple File Upload add-on, this vulnerability poses a significant risk. Successful exploitation could allow attackers to upload malicious files that bypass client-side restrictions, potentially leading to unauthorized access, data exfiltration, or lateral movement within the network. This is particularly concerning for sectors with sensitive data such as finance, healthcare, and government agencies. The ability to upload arbitrary files could facilitate web shell deployment or malware installation, undermining system integrity and confidentiality. Since OutSystems is widely used in Europe for rapid application development, organizations relying on this component may face increased risk of targeted attacks or automated scanning by threat actors. The lack of server-side validation means that traditional security controls relying on client-side enforcement are ineffective, increasing the attack surface. Additionally, the absence of official patches from the third-party vendor may delay remediation efforts, prolonging exposure. The medium severity rating suggests that while the vulnerability is serious, it may not lead to full system compromise without additional vulnerabilities or misconfigurations. However, the changed scope indicates potential for broader impact beyond the immediate component, which could affect interconnected systems or data stores.

European organizations should implement the following specific mitigation measures: 1) Immediately audit all OutSystems applications to identify usage of the Multiple File Upload add-on component version 3.1.0 or earlier. 2) Disable or remove the vulnerable component if it is not essential to business operations. 3) If removal is not feasible, implement server-side validation for file uploads to enforce strict checks on file extensions, MIME types, and file sizes, independent of client-side controls. 4) Employ web application firewalls (WAFs) with custom rules to detect and block suspicious upload attempts or anomalous file types. 5) Monitor logs for unusual upload activity or errors indicative of exploitation attempts. 6) Educate developers and administrators about the risks of relying solely on client-side validation and enforce secure coding practices. 7) Engage with the third-party vendor for updates or patches and track any future advisories. 8) Consider sandboxing or isolating file upload functionality to limit potential damage from malicious files. 9) Conduct penetration testing focused on file upload mechanisms to validate the effectiveness of mitigations. These steps go beyond generic advice by emphasizing immediate component inventory, server-side validation implementation, and compensating controls tailored to the specific vulnerability context.