CVE-2025-1980: Remote Code Execution via Unrestricted File Upload in Ready_

7.1 CVSS

Description

The Ready_ application's Profile section allows users to upload files of any type and extension without restriction. If the server is misconfigured, as it was by default when installed at the turn of 2021 and 2022, it can result in Remote Code Execution. Refer to the Required Configuration for Exposure section for more information.

Classification

CVE ID: CVE-2025-1980

CVSS Base Severity: HIGH

CVSS Base Score: 7.1

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Problem Types

CWE-434 Unrestricted Upload of File with Dangerous Type

Affected Products

Vendor: Symfonia

Product: Ready_

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.27% (probability of being exploited)

EPSS Percentile: 49.87% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-1980
https://cert.pl/posts/2025/04/CVE-2025-1980
https://cert.pl/en/posts/2025/04/CVE-2025-1980
https://ready-os.com/pl/

Timeline

2025-04-16 13:40:18 UTC
CVE

Remote Code Execution via Unrestricted File Upload in Ready_