CVE-2025-8120 is a critical security vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) found in the Polska Akademia Dostępności (PAD) CMS. The root cause is a client-controlled permission check parameter in the photo upload functionality, which fails to properly restrict file types and extensions. This flaw allows an unauthenticated remote attacker to upload files of any type, including executable scripts or binaries, without any validation or restriction. Once uploaded, these files can be executed on the server, resulting in remote code execution (RCE). The vulnerability affects all three templates of PAD CMS: www, bip, and ww+bip. The product is End-Of-Life, and the vendor will not provide patches or updates to remediate this issue. The CVSS v4.0 score is 10.0, indicating a critical severity with network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. The vulnerability was reserved in July 2025 and published in September 2025. No known exploits have been reported in the wild yet, but the combination of no authentication needed and direct RCE potential makes this a highly exploitable and dangerous vulnerability.

The impact of CVE-2025-8120 on European organizations is significant, particularly for those still operating PAD CMS for their web content management. Successful exploitation allows attackers to execute arbitrary code remotely, potentially leading to full system compromise, data theft, defacement, or use of the compromised server as a pivot point for further attacks. Confidentiality is at risk due to possible data exfiltration, integrity is compromised as attackers can alter content or system files, and availability can be disrupted by malicious payloads or ransomware deployment. Since PAD CMS is used primarily in Poland and possibly in other Central and Eastern European countries, organizations in these regions face the highest risk. The lack of vendor support and patches means organizations must rely on compensating controls or migration to secure platforms. The vulnerability also poses a reputational risk and potential regulatory compliance issues under GDPR if personal data is compromised.

Given the product is End-Of-Life and no patches will be released, the primary mitigation is to immediately discontinue use of PAD CMS and migrate to a supported and secure CMS platform. If migration is not immediately feasible, organizations should isolate PAD CMS servers within segmented network zones with strict access controls to limit exposure. Implement web application firewalls (WAFs) with custom rules to detect and block suspicious file uploads or execution attempts. Disable or restrict the upload photo functionality if possible. Conduct thorough monitoring and logging of all file upload activities and server execution logs to detect potential exploitation attempts. Regularly audit the CMS environment for unauthorized files or changes. Employ intrusion detection/prevention systems (IDS/IPS) tuned to detect exploitation patterns related to file upload vulnerabilities. Finally, educate administrators and users about the risks and signs of compromise related to this vulnerability.