CVE-2025-34163
Deferred Deferred - Pending Action
BaseFortify

Publication date: 2025-08-27

Last updated on: 2026-05-26

Assigner: VulnCheck

Description
Dongsheng Logistics Software exposes an unauthenticated endpoint at /CommMng/Print/UploadMailFile that fails to enforce proper file type validation and access control. An attacker can upload arbitrary files, including executable scripts such as .ashx, via a crafted multipart/form-data POST request. This allows remote code execution on the server, potentially leading to full system compromise. The vulnerability is presumed to affect builds released prior to July 2025 and is remediated in newer versions of the product, though the exact affected range remains undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-07-23 UTC.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-27
Last Modified
2026-05-26
Generated
2026-06-16
AI Q&A
2025-08-28
EPSS Evaluated
2026-06-15
NVD
CVE-2025-34163
EUVD
EUVD-2025-26060
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
qindao_dongsheng_weiye_software logistics_software *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

The vulnerability can allow an attacker to execute arbitrary code remotely on the affected server, which may lead to full system compromise. This means the attacker could gain control over the server, access sensitive data, disrupt services, or use the compromised system to launch further attacks.

Executive Summary

This vulnerability in Dongsheng Logistics Software involves an unauthenticated endpoint (/CommMng/Print/UploadMailFile) that does not properly validate file types or enforce access control. An attacker can exploit this by uploading arbitrary files, including executable scripts like .ashx, through a specially crafted multipart/form-data POST request. This can lead to remote code execution on the server, potentially allowing the attacker to fully compromise the system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-34163. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart