CVE-2025-7065 is a critical vulnerability affecting the Polska Akademia Dostępności (PAD) CMS, specifically its photo upload functionality. The root cause is a client-controlled permission check parameter that allows an unauthenticated remote attacker to bypass restrictions on file types and extensions during upload. This unrestricted file upload vulnerability (CWE-434) enables attackers to upload malicious files, such as web shells or scripts, which can then be executed on the server. Execution of these files leads to Remote Code Execution (RCE), allowing attackers to fully compromise the affected system. The vulnerability impacts all three PAD CMS templates: www, bip, and ww+bip. Notably, PAD CMS is an End-Of-Life product, and the vendor will not issue any patches or updates to remediate this flaw. The vulnerability has a CVSS 4.0 base score of 10.0, indicating maximum severity, with attack vector being network-based, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, but the ease of exploitation and critical impact make this a significant threat. The vulnerability was published on September 30, 2025, and assigned by CERT-PL, indicating recognition by Polish national cybersecurity authorities.

For European organizations using PAD CMS, this vulnerability poses a severe risk. Successful exploitation grants attackers full remote code execution capabilities, potentially leading to complete system compromise, data theft, defacement, or use of the server as a pivot point for further attacks within the network. Given the CMS is used primarily in Poland (as indicated by the vendor and CERT-PL involvement), public sector or educational institutions relying on PAD CMS may be targeted. The lack of vendor support and patches means organizations must rely on alternative mitigations or migration strategies. The vulnerability threatens confidentiality (exfiltration of sensitive data), integrity (alteration of website content or data), and availability (service disruption or destruction). The critical severity and unauthenticated remote exploitation vector make this a high-priority threat for affected entities, especially those with sensitive or regulated data under GDPR. Additionally, the presence of multiple templates affected increases the attack surface. The impact extends beyond Poland to any European organization still operating PAD CMS instances, particularly in sectors where CMS security is paramount.

Since PAD CMS is End-Of-Life and no patches will be provided, organizations must adopt compensating controls. Immediate mitigation includes disabling or restricting the photo upload functionality entirely if feasible. If upload functionality is essential, implement strict web application firewall (WAF) rules to detect and block suspicious file uploads, especially those with executable extensions or embedded code. Employ network segmentation to isolate CMS servers from critical infrastructure and sensitive data stores. Conduct thorough access control reviews and monitor logs for unusual upload or execution activity. Consider deploying runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions to detect exploitation attempts. Ultimately, organizations should plan and execute migration away from PAD CMS to a supported and actively maintained CMS platform. Regular backups and incident response plans should be updated to prepare for potential exploitation. Security awareness training for administrators about this vulnerability and its risks is also recommended.