CVE-2025-8120 is a critical vulnerability identified in the Polska Akademia Dostępności (PAD) CMS, specifically affecting its photo upload functionality across all three templates: www, bip, and ww+bip. The root cause is a client-controlled permission check parameter that fails to properly restrict file uploads, allowing an unauthenticated remote attacker to upload files of any type and extension without restriction. This unrestricted file upload vulnerability (CWE-434) can lead to Remote Code Execution (RCE) because malicious files uploaded can be executed on the server. The vulnerability is particularly severe because it requires no authentication, no user interaction, and can be exploited remotely over the network. The product is End-Of-Life (EOL), and the vendor will not provide patches or updates to remediate this issue, increasing the risk for organizations still using PAD CMS. The CVSS 4.0 base score is 10.0, reflecting the highest severity due to the combination of network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, but the ease of exploitation and critical impact make this a significant threat. The vulnerability affects all versions of PAD CMS, indicating a systemic design flaw in the upload mechanism across all templates.

For European organizations using PAD CMS, this vulnerability poses a severe risk. Exploitation can lead to full system compromise, allowing attackers to execute arbitrary code, potentially leading to data breaches, defacement, ransomware deployment, or pivoting within internal networks. Given that PAD CMS is used in Poland and possibly other European institutions focused on accessibility, government, or public sector websites, the impact includes disruption of critical services, loss of public trust, and exposure of sensitive data. The lack of vendor support due to EOL status means organizations cannot rely on official patches, forcing them to either implement custom mitigations or migrate to alternative CMS platforms. This increases operational costs and complexity. Additionally, the vulnerability could be leveraged by threat actors targeting European public sector infrastructure, especially in Poland, to conduct espionage or sabotage. The critical severity and ease of exploitation make timely mitigation essential to prevent potential widespread compromise.

Since no patches are available, organizations must implement compensating controls immediately. These include: 1) Disabling the photo upload functionality in PAD CMS if not essential, to eliminate the attack vector. 2) Implementing strict network segmentation and firewall rules to restrict external access to the CMS upload endpoints. 3) Deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious file upload attempts, especially those with executable extensions or unusual payloads. 4) Conducting thorough input validation and sanitization at the web server or reverse proxy level to restrict allowed file types and extensions. 5) Monitoring server logs and network traffic for anomalous upload activity indicative of exploitation attempts. 6) Planning and executing a migration strategy to a supported and secure CMS platform as soon as possible. 7) Employing application-level sandboxing or containerization to limit the impact of any successful code execution. 8) Regularly backing up CMS data and configurations to enable rapid recovery in case of compromise.