How serious is CVE-2025-65806?

This vulnerability has a CVSS score of 4.3 out of 10, classified as MEDIUM severity. Proof-of-concept exploit code is publicly available, making this an active threat.

Is there exploit code available for CVE-2025-65806?

Yes, proof-of-concept exploit code for CVE-2025-65806 is publicly available on GitHub and security research platforms. This increases the risk of active exploitation.

Which products are affected by CVE-2025-65806?

CVE-2025-65806 affects e-point e-point cms. Check the full CVE details for specific version information.

How do I fix CVE-2025-65806?

To remediate CVE-2025-65806, check for security patches from e-point. Apply all available updates and security patches. If no patch is available, implement recommended workarounds or security controls to mitigate the risk.

CVE-2025-65806

Medium

|4.3

Exploit Available

Plain English Summary

AI-powered analysis for quick understanding

This vulnerability allows an attacker to upload a specially crafted ZIP file that contains another ZIP file with a malicious executable, which can then be extracted and run on the server. If the server has weak security settings, this could lead to remote code execution, allowing the attacker to take control of the system or access sensitive data.

Technical Description

The E-POINT CMS eagle.gsam-1169.1 file upload feature improperly handles nested archive files. An attacker can upload a nested ZIP (a ZIP containing another ZIP) where the inner archive contains an executable file (e.g. webshell.php). When the application extracts the uploaded archives, the executable may be extracted into a web-accessible directory. This can lead to remote code execution (RCE), data disclosure, account compromise, or further system compromise depending on the web server/process privileges. The issue arises from insufficient validation of archive contents and inadequate restrictions on extraction targets.

CVSS Vector Analysis

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredHigh

User InteractionRequired

Confidentiality ImpactLow

Integrity ImpactLow

Availability ImpactLow

ScopeUnchanged

Vector String

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L

Exploit Resources

Search for proof-of-concept code and exploit modules

GitHub Search Exploit-DB Nuclei Templates Metasploit Vulners

Official References

NIST NVD

Est. Bounty

$552($500-$1K)

Vendor Response

Grade FPatched in 97 days

Quick Information

Published

Dec 4, 2025

4 months ago

Last Modified

Mar 11, 2026

27 days ago

Vendor

e-point

Product

e-point cms