CVE-2025-7065 is a critical security vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) found in the Polska Akademia Dostępności (PAD) CMS. The vulnerability arises because the photo upload feature relies on a client-controlled permission check parameter, which can be manipulated by an unauthenticated attacker to upload arbitrary files without any type or extension restrictions. This flaw affects all three templates of PAD CMS: www, bip, and ww+bip. Since the uploaded files can be executed on the server, this leads directly to remote code execution (RCE), allowing attackers to run arbitrary code with the privileges of the web server process. The product is end-of-life, meaning no official patches or updates will be provided by the vendor, increasing the risk for users who continue to operate this CMS. The CVSS 4.0 vector indicates the vulnerability is network exploitable (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and impacts confidentiality, integrity, and availability with high scope change (SI:H, SA:H). Although no exploits have been reported in the wild yet, the vulnerability's characteristics make it highly exploitable and dangerous. The vulnerability was reserved in July 2025 and published in September 2025 by CERT-PL, highlighting its relevance to Polish institutions. The lack of patch availability necessitates immediate compensating controls to mitigate risk.

The impact of CVE-2025-7065 on European organizations is severe. Successful exploitation results in remote code execution, allowing attackers to take full control over affected servers. This can lead to data breaches, defacement, deployment of ransomware, or pivoting to internal networks. Given that PAD CMS is used primarily in Poland and possibly other European public sector or accessibility-focused organizations, the confidentiality, integrity, and availability of critical web services may be compromised. The end-of-life status of the product means organizations cannot rely on vendor patches, increasing exposure duration. The vulnerability's ease of exploitation (no authentication or user interaction required) means attackers can rapidly compromise vulnerable systems remotely. This poses a significant threat to government websites, educational institutions, and accessibility service providers that rely on PAD CMS. The potential for widespread disruption and data loss is high, especially in sectors with sensitive or regulated data. Additionally, the vulnerability could be leveraged for supply chain attacks if PAD CMS is integrated into broader service offerings.

Since no patches are available due to the product's end-of-life status, European organizations should immediately implement the following mitigations: 1) Disable or restrict the photo upload functionality entirely to prevent file uploads until a secure alternative is in place. 2) Implement strict web application firewall (WAF) rules to block HTTP requests attempting to upload files with executable extensions or suspicious payloads. 3) Isolate PAD CMS servers from critical internal networks to limit lateral movement if compromised. 4) Conduct thorough audits of existing uploaded files to detect and remove any malicious content. 5) Monitor server logs and network traffic for signs of exploitation attempts or unusual activity. 6) Plan and execute migration to a supported and actively maintained CMS platform with secure file upload controls. 7) Employ file integrity monitoring and endpoint detection and response (EDR) solutions on affected hosts. 8) Educate administrators about the risk and ensure strict access controls on the CMS backend. These steps will reduce the attack surface and limit potential damage while transitioning away from PAD CMS.