CVE-2025-63695 identifies a security vulnerability in DzzOffice version 2.3.7 and earlier, located in the file upload handling functionality within /dzz/system/ueditor/php/controller.php. The vulnerability permits arbitrary file uploads, meaning an attacker can upload files of their choosing without proper validation or restrictions. This type of vulnerability is critical because it can allow attackers to upload malicious scripts or executables, which can then be executed on the server, leading to remote code execution, privilege escalation, or full system compromise. The vulnerability was reserved on October 27, 2025, and published on November 18, 2025, but no CVSS score or patch links are currently available, and no exploits have been observed in the wild. The lack of authentication requirements or user interaction details suggests the upload endpoint may be accessible to unauthenticated users, increasing the risk. The affected component, UEditor, is a widely used web-based rich text editor integrated into DzzOffice, a collaborative office platform. Attackers exploiting this vulnerability could bypass file type restrictions or other security controls, upload web shells or malware, and gain persistent access to the affected system. This vulnerability threatens the confidentiality, integrity, and availability of data and services hosted on vulnerable DzzOffice instances.

For European organizations, exploitation of this vulnerability could lead to unauthorized access to sensitive corporate data, disruption of business operations, and potential lateral movement within internal networks. Organizations in sectors such as government, finance, healthcare, and education that use DzzOffice for collaboration and document management are particularly at risk. Compromise could result in data breaches, intellectual property theft, ransomware deployment, or defacement of web services. The arbitrary file upload can also serve as a foothold for further attacks, including privilege escalation and persistent backdoors. The absence of known exploits currently limits immediate widespread impact, but the vulnerability's nature makes it a high-risk target once exploit code becomes available. European entities with public-facing DzzOffice installations are especially vulnerable to remote exploitation attempts. The impact extends beyond individual organizations to potentially affect supply chains and critical infrastructure relying on this software.

Organizations should immediately audit their DzzOffice installations to identify affected versions (2.3.7 and earlier). Although no official patches are currently linked, monitoring vendor advisories and applying updates promptly upon release is critical. In the interim, restrict access to the /dzz/system/ueditor/php/controller.php endpoint using network-level controls such as IP whitelisting or VPN access. Implement strict file upload validation rules, including whitelisting allowed file types and scanning uploaded files for malware. Deploy web application firewalls (WAFs) with rules to detect and block suspicious file upload attempts targeting this endpoint. Conduct regular security assessments and penetration testing focused on file upload functionalities. Disable or limit file upload features if not essential. Employ robust logging and monitoring to detect anomalous activities related to file uploads. Educate administrators and users about the risks and signs of compromise related to arbitrary file upload vulnerabilities.