CVE-2025-65806 is a vulnerability identified in the E-POINT CMS eagle.gsam-1169.1 version related to its file upload functionality. The vulnerability arises from the improper handling of nested archive files during extraction. Specifically, the CMS allows an attacker to upload a ZIP archive that contains another ZIP archive, where the inner archive includes executable files such as webshell.php. Upon extraction, the CMS fails to adequately validate the contents and does not enforce strict restrictions on where files are extracted. Consequently, the executable files can be placed into web-accessible directories, enabling an attacker to execute arbitrary code remotely on the server hosting the CMS. This remote code execution (RCE) can lead to severe consequences including data disclosure, compromise of user accounts, and potential full system compromise depending on the privileges of the web server process. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and has a CVSS v3.1 base score of 8.0, indicating high severity. The attack vector requires network access and low complexity but does require the attacker to have some level of privileges (PR:L) and user interaction (UI:R). No public exploits are currently known in the wild, but the risk remains significant due to the potential impact. The vulnerability was published on December 4, 2025, with the issue reserved on November 18, 2025. No patches are currently linked, emphasizing the need for immediate mitigation steps by affected organizations.

For European organizations, the impact of CVE-2025-65806 can be substantial. Organizations using E-POINT CMS for public-facing websites or internal portals risk unauthorized remote code execution, which can lead to data breaches involving sensitive personal or corporate information. This is particularly critical for sectors such as government, finance, healthcare, and critical infrastructure where confidentiality and integrity are paramount. Compromise of web servers can also facilitate lateral movement within networks, enabling attackers to escalate privileges and disrupt availability of services. The vulnerability's exploitation could result in reputational damage, regulatory penalties under GDPR for data breaches, and operational downtime. Since the vulnerability requires authenticated access and user interaction, insider threats or phishing campaigns could be leveraged to exploit it. The lack of available patches increases the urgency for organizations to implement compensating controls to reduce exposure.

To mitigate CVE-2025-65806, organizations should immediately implement strict validation of uploaded archive files, including scanning nested archives for executable content before extraction. File upload functionality should enforce whitelist policies restricting allowed file types and disallow nested archives or executable files within archives. Extraction processes must be constrained to non-web-accessible directories with strict path traversal protections to prevent files from being placed in sensitive locations. Employ web application firewalls (WAFs) to detect and block suspicious upload patterns and monitor logs for unusual extraction activities. Limit user privileges to the minimum necessary to reduce the impact of potential exploitation. Since no official patches are currently available, organizations should engage with the vendor for updates and consider temporary disabling of the vulnerable upload feature if feasible. Regular security awareness training to prevent phishing and credential compromise can reduce the risk of authenticated attackers exploiting this vulnerability.