CVE-2025-9099 is a medium-severity vulnerability affecting the Acrel Environmental Monitoring Cloud Platform, specifically versions up to 20250804. The vulnerability resides in the file upload functionality at the endpoint /NewsManage/UploadNewsImg, where the 'File' argument can be manipulated to allow unrestricted file uploads. This flaw enables an unauthenticated remote attacker to upload arbitrary files to the server without any restrictions or validation. The lack of proper access controls and input validation on the file upload mechanism could allow attackers to upload malicious payloads such as web shells, malware, or scripts that could be executed on the server. Although the CVSS 4.0 vector indicates that the attack requires low privileges (PR:L) but no user interaction (UI:N) and no authentication (AT:N), the impact on confidentiality, integrity, and availability is limited to low levels individually but combined could lead to significant compromise if exploited. The vendor has been contacted but has not responded or issued a patch, and public exploit details have been disclosed, increasing the risk of exploitation. This vulnerability is particularly concerning in an environmental monitoring context where data integrity and availability are critical for operational safety and compliance. The unrestricted upload could lead to data tampering, service disruption, or unauthorized access to sensitive environmental data and control systems.

For European organizations using the Acrel Environmental Monitoring Cloud Platform, this vulnerability poses a risk to the integrity and availability of environmental monitoring data and systems. Environmental monitoring is often critical for regulatory compliance, safety, and operational decision-making in sectors such as energy, manufacturing, and public infrastructure. Exploitation could lead to unauthorized modification or deletion of monitoring data, disruption of monitoring services, or pivoting to other internal systems via uploaded malicious files. This could result in regulatory penalties, operational downtime, and damage to reputation. Since the vulnerability allows remote exploitation without authentication or user interaction, it increases the attack surface significantly. European organizations relying on Acrel's platform for environmental data collection and analysis must consider the risk of data manipulation or denial of service, which could impact environmental safety and compliance with EU environmental regulations such as the Industrial Emissions Directive or Water Framework Directive.

Given the lack of an official patch, European organizations should implement compensating controls immediately. These include restricting network access to the vulnerable upload endpoint via firewall rules or web application firewalls (WAF) to only trusted IP addresses. Implement strict input validation and file type restrictions at the proxy or WAF level to block executable or script files. Monitor logs for unusual upload activity or unexpected file types. Employ intrusion detection/prevention systems (IDS/IPS) to detect exploitation attempts. Segregate the Acrel platform network segment from critical internal networks to limit lateral movement if compromise occurs. Conduct regular backups of environmental data and system configurations to enable recovery. Engage with Acrel for updates and consider alternative solutions if remediation is delayed. Additionally, organizations should conduct security assessments and penetration tests focused on file upload functionalities to identify similar weaknesses.