CVE-2025-34046

Name of the Vulnerable Software and Affected Versions: Fanwei E-Office versions <= 9.4

Description: An unauthenticated file upload issue exists in the web management interface, affecting the "/general/index/UploadFile.php" endpoint. This endpoint improperly validates uploaded files when invoked with certain parameters, such as uploadType=eoffice logo or uploadType=theme. An attacker can exploit this by sending a crafted HTTP POST request to upload arbitrary files without authentication, potentially enabling remote code execution on the affected server. This could lead to the complete compromise of the web application and the underlying system.

Recommendations: For Fanwei E-Office versions <= 9.4, as a temporary workaround, consider disabling the "/general/index/UploadFile.php" endpoint until a patch is available. Restrict access to this endpoint to minimize the risk of exploitation. Avoid using the uploadType parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.