CVE-2025-3518 is a medium-severity vulnerability identified in Unblu inc.'s product Unblu Spark versions 7.0.0 and 8.0.0. The vulnerability arises from a misconfiguration in the file upload functionality, which is designed to be enabled or disabled for specific use cases through configuration settings. Despite the file upload feature being disabled for at least one use case, the system still permits file uploads via direct API requests. This bypass occurs because the backend API does not enforce the disabled state for file uploads in all contexts, allowing a user to upload files even when the feature is ostensibly turned off. However, the system still applies file type restrictions and interception rules during the upload process, which mitigates some risk by preventing unauthorized file types from being uploaded. If file sharing is generally enabled for the environment, this vulnerability is not relevant. The weakness is classified under CWE-284, indicating an authorization bypass issue where access control is improperly enforced. No known exploits are currently reported in the wild, and no patches have been published at the time of analysis. The vulnerability was assigned and enriched by NCSC.ch and CISA, indicating recognition by reputable cybersecurity authorities.

For European organizations using Unblu Spark versions 7.0.0 or 8.0.0, this vulnerability could lead to unauthorized file uploads in scenarios where file upload functionality is intended to be disabled. This could allow threat actors or unauthorized users to introduce files into conversations, potentially leading to the introduction of malicious content, data exfiltration, or circumvention of organizational policies restricting file sharing. While file type restrictions reduce the risk of arbitrary file uploads, attackers might still upload files that could exploit other vulnerabilities or be used for social engineering attacks. The impact on confidentiality and integrity is moderate, as unauthorized files could contain sensitive information or malware. Availability impact is low since the vulnerability does not directly affect system uptime or performance. The vulnerability could be exploited without authentication if the API is accessible, but typically, Unblu Spark is used in controlled environments requiring user authentication, which limits exposure. European organizations in sectors relying heavily on secure client communications, such as financial services, healthcare, and government agencies, could be particularly affected if they rely on Unblu Spark for secure conversations and have disabled file uploads for compliance or security reasons.

Organizations should implement the following specific mitigations: 1) Immediately review and restrict API access to the file upload endpoints to authenticated and authorized users only, ensuring that direct API calls cannot bypass UI-level restrictions. 2) Apply strict network segmentation and firewall rules to limit access to Unblu Spark APIs, especially from untrusted networks. 3) Monitor and log all file upload activities, including API calls, to detect anomalous or unauthorized uploads promptly. 4) Enforce additional validation on the server side to verify that file uploads are only accepted when the feature is enabled for the specific use case, effectively closing the bypass. 5) Coordinate with Unblu inc. to obtain and apply patches or updates once available. 6) Conduct user training to raise awareness about the risks of unauthorized file sharing and encourage reporting of suspicious files. 7) Consider deploying endpoint protection solutions that can scan uploaded files for malware before they reach end users. These steps go beyond generic advice by focusing on API security, monitoring, and organizational controls tailored to this vulnerability.