CVE-2025-41347 is a vulnerability classified under CWE-434, indicating an unrestricted file upload flaw in the WinPlus software version 24.11.27 developed by Informática del Este. The vulnerability specifically allows attackers to upload files of dangerous types, such as webshells, by sending a POST request to the endpoint '/WinplusPortal/ws/sWinplus.svc/json/uploadfile'. This unrestricted upload capability bypasses any file type validation or restrictions, enabling an attacker to place malicious executable code on the server. The CVSS 4.0 base score of 8.7 reflects a high severity, with an attack vector that is network-based (AV:N), requiring low attack complexity (AC:L), no authentication (AT:N), and no user interaction (UI:N). The vulnerability impacts confidentiality, integrity, and availability at a high level (VC:H, VI:H, VA:H), indicating that successful exploitation could lead to full system compromise, data theft, or service disruption. The vulnerability is currently published and assigned by INCIBE, but no patches or known exploits in the wild have been reported yet. The lack of patch links suggests that a fix is pending or not publicly available at the time of this report. The unrestricted upload of webshells is a critical threat vector as it allows attackers to execute arbitrary commands remotely, potentially leading to lateral movement, data exfiltration, or ransomware deployment.

For European organizations, the impact of CVE-2025-41347 can be severe. Organizations using WinPlus 24.11.27 may face unauthorized remote code execution, leading to full system compromise. This can result in data breaches, loss of sensitive information, disruption of business operations, and potential regulatory non-compliance under GDPR due to data confidentiality violations. Critical infrastructure or sectors relying on WinPlus for operational technology or business processes could experience service outages or manipulation of data integrity. The absence of authentication and user interaction requirements makes it easier for attackers to exploit the vulnerability remotely, increasing the risk of widespread attacks. Additionally, the ability to upload webshells can facilitate persistent access, lateral movement within networks, and deployment of further malware or ransomware, amplifying the threat landscape for affected organizations.

1. Immediately monitor and restrict access to the '/WinplusPortal/ws/sWinplus.svc/json/uploadfile' endpoint using network-level controls such as firewalls or web application firewalls (WAFs) to block unauthorized POST requests. 2. Implement strict server-side validation to restrict allowed file types and enforce file size limits, ensuring only safe and expected file formats are accepted. 3. Employ application-layer security controls to sanitize and validate all uploaded content to prevent execution of malicious code. 4. Conduct thorough logging and monitoring of file upload activities to detect anomalous behavior indicative of exploitation attempts. 5. Isolate WinPlus servers from the internet or untrusted networks where possible to reduce exposure. 6. Engage with Informática del Este for timely patch releases and apply security updates as soon as they become available. 7. Perform regular security assessments and penetration testing focusing on file upload functionalities. 8. Educate IT and security teams about this vulnerability to ensure rapid incident response if exploitation is detected.