Critical Arbitrary File Upload Vulnerability in WMPro

CVE-2025-15226
Unauthenticated attackers can upload web shells and achieve full server compromise.

Severity

CRITICAL – Remote Code Execution

When

29 Dec 2025

Technical Overview

A critical vulnerability, CVE-2025-15226, has been disclosed in WMPro, developed by Sunnet. The flaw allows unauthenticated remote attackers to upload arbitrary files through exposed upload functionality without validation or authentication.

Successful exploitation enables attackers to deploy web shell backdoors, granting persistent remote access and arbitrary command execution. Because the vulnerability requires no credentials, exploitation can be fully automated and scaled.

The issue affects internet-facing WMPro deployments and poses immediate risk to servers hosting sensitive data or internal applications.

CVSS v3.1: 9.8 (Critical)

Impact

• Complete server takeover
• Persistent unauthorized access
• Data theft, manipulation, or destruction
• Use of compromised servers as pivot points

Key Risk

Publicly exposed WMPro instances running unpatched versions are highly vulnerable to automated exploitation.

Recommended Actions

Monitor for unexpected process execution or outbound connections

Immediately apply vendor patches

Disable or restrict file upload functionality

Inspect systems for web shells and suspicious files