CVE-2025-34046

Public Exploit

Fanwei E-Office Unauthenticated File Upload

Description

An unauthenticated file upload vulnerability exists in the Fanwei E-Office <= v9.4 web management interface. The vulnerability affects the /general/index/UploadFile.php endpoint, which improperly validates uploaded files when invoked with certain parameters (uploadType=eoffice_logo or uploadType=theme). An attacker can exploit this flaw by sending a crafted HTTP POST request to upload arbitrary files without requiring authentication. Successful exploitation could enable remote code execution on the affected server, leading to complete compromise of the web application and potentially the underlying system.

References

Link	Tags
https://www.cnvd.org.cn/flaw/show/CNVD-2021-49104	third party advisory
https://github.com/M0ge/CNVD-2021-49104-Fanwei-Eoffice-fileupload/blob/main/eoffice_fileupload.py	exploit
https://vulncheck.com/advisories/fanwei-eoffice-file-upload	third party advisory
https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cnvd/2021/CNVD-2021-49104.yaml	exploit

Frequently Asked Questions

What is the severity of CVE-2025-34046?: CVE-2025-34046 has been scored as a critical severity vulnerability.
How to fix CVE-2025-34046?: To fix CVE-2025-34046, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-34046 being actively exploited in the wild?: It is possible that CVE-2025-34046 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-34046?: CVE-2025-34046 affects Shanghai Fanwei Network Technology E-Office.

Description

Category

CWE-94 – Improper Control of Generation of Code ('Code Injection')

References

Frequently Asked Questions