CVE-2025-7063 is a critical vulnerability identified in the Polska Akademia Dostępności (PAD) CMS, a content management system used primarily in Poland. The vulnerability is classified under CWE-434, which pertains to the unrestricted upload of files with dangerous types. The root cause of this vulnerability lies in a client-controlled permission check parameter within the file upload functionality. This flaw allows an unauthenticated remote attacker to bypass any file type or extension restrictions and upload arbitrary files, including malicious executable scripts. Once uploaded, these files can be executed on the server, leading to Remote Code Execution (RCE). This means an attacker can run arbitrary code with the privileges of the web server, potentially taking full control of the affected system. The vulnerability affects all three templates of PAD CMS: www, bip, and ww+bip. Notably, PAD CMS is an End-Of-Life product, and the vendor has declared that no patches will be released to address this issue. The CVSS 4.0 base score is 10.0, indicating a critical severity level. The vector string (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H) highlights that the attack can be performed remotely without authentication or user interaction, with high impact on confidentiality, integrity, and availability, and a high scope of affected components. No known exploits are currently reported in the wild, but the ease of exploitation and severity make this a significant threat. Given the lack of vendor support and patch availability, organizations using PAD CMS are at extreme risk if they continue to operate vulnerable instances.

For European organizations, particularly those in Poland where PAD CMS is primarily used, this vulnerability poses a severe risk. An attacker exploiting this flaw can gain full control over web servers hosting PAD CMS, leading to data breaches, defacement, disruption of services, and potential lateral movement within the network. Confidential information managed by the CMS could be exfiltrated or altered, damaging organizational reputation and compliance posture, especially under GDPR regulations. The ability to execute arbitrary code remotely without authentication means that attackers can deploy ransomware, establish persistent backdoors, or use the compromised servers as pivot points for further attacks. Since PAD CMS is used in public sector and accessibility-focused institutions, the impact could extend to critical public services and accessibility resources, amplifying the societal and operational consequences. The lack of patches exacerbates the risk, forcing organizations to consider immediate mitigation or migration strategies to avoid exploitation.

Given that PAD CMS is End-Of-Life with no forthcoming patches, organizations must adopt compensating controls. Immediate mitigation steps include: 1) Disabling or restricting file upload functionality entirely if not essential. 2) Implementing web application firewalls (WAFs) with custom rules to detect and block suspicious file upload attempts, especially those with executable extensions or unusual content types. 3) Employing strict network segmentation to isolate CMS servers from critical internal networks, limiting potential lateral movement. 4) Conducting thorough audits of existing uploaded files to identify and remove any malicious content. 5) Monitoring server logs and network traffic for anomalous activities indicative of exploitation attempts. 6) Planning and executing a migration to a supported and actively maintained CMS platform to eliminate exposure. 7) Applying least privilege principles to the web server process to minimize the impact of potential code execution. 8) Utilizing intrusion detection/prevention systems (IDS/IPS) tuned to detect exploitation patterns related to file upload vulnerabilities. These measures, combined, can reduce the attack surface and mitigate the risk until a full replacement of the vulnerable system is feasible.