CVE-2025-34163 in Dongsheng Logistics Softwareinfo

Summary

by MITRE • 08/28/2025

Dongsheng Logistics Software exposes an unauthenticated endpoint at /CommMng/Print/UploadMailFile that fails to enforce proper file type validation and access control. An attacker can upload arbitrary files, including executable scripts such as .ashx, via a crafted multipart/form-data POST request. This allows remote code execution on the server, potentially leading to full system compromise. The vulnerability is presumed to affect builds released prior to July 2025 and is remediated in newer versions of the product, though the exact affected range remains undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-07-23 UTC.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 05/26/2026

This vulnerability exists within Dongsheng Logistics Software where an unauthenticated endpoint at /CommMng/Print/UploadMailFile lacks proper file type validation and access control mechanisms. The endpoint accepts multipart/form-data POST requests without adequate sanitization of uploaded files, creating a critical security flaw that enables arbitrary file uploads. Attackers can exploit this weakness by crafting malicious requests that include executable scripts such as .ashx files, which are commonly used in asp.net applications for handling HTTP requests. The absence of file type validation allows attackers to bypass normal upload restrictions and execute arbitrary code on the server. This represents a classic insecure file upload vulnerability that directly violates security best practices and industry standards such as CWE-434 which specifically addresses insecure upload of code. The vulnerability falls under the ATT&CK technique T1190 for Exploit Public-Facing Application, as it targets a publicly accessible endpoint that can be exploited without authentication. The exploitation process involves sending a crafted POST request with malicious file content, which the server then processes and stores without proper validation. Given that the vulnerability affects builds released prior to July 2025, organizations using older versions of the software are at significant risk of compromise. The lack of defined affected version ranges makes it challenging for security teams to assess their exposure accurately, but the remediation in newer versions suggests that proper access controls and file validation have been implemented. This flaw could potentially lead to complete system compromise, allowing attackers to establish persistent access, escalate privileges, and exfiltrate sensitive data from the affected infrastructure. The impact extends beyond simple code execution as it provides attackers with a foothold to conduct further reconnaissance and lateral movement within the network. Organizations should immediately assess their deployment of this software to identify vulnerable systems and implement mitigations including access control restrictions, file type validation, and network segmentation to prevent unauthorized access to the vulnerable endpoint. The vulnerability demonstrates a critical failure in the principle of least privilege and proper input validation, both of which are fundamental requirements for secure application development as outlined in OWASP Top Ten and NIST cybersecurity frameworks.

Responsible

VulnCheck

Reservation

04/15/2025

Disclosure

08/28/2025

Moderation

accepted

CPE

ready

EPSS

0.00610

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!