Overview
A critical security vulnerability, identified as CVE-2025-34350, has been discovered in UnForm Server versions prior to 10.1.15. This vulnerability allows unauthenticated attackers to read arbitrary files on the server and potentially coerce the server into initiating outbound SMB authentication. Exploitation of this flaw can lead to sensitive information disclosure and, in some environments, facilitate lateral movement within the network. Immediate action is recommended to mitigate this risk.
Technical Details
The vulnerability resides within the ‘arc’ endpoint of the Doc Flow feature. The Doc Flow module uses this endpoint to retrieve and render resources based on the user-supplied ‘pp’ parameter. However, versions of UnForm Server before 10.1.15 fail to enforce authentication or adequately sanitize the ‘pp’ parameter input.
This lack of input validation enables an unauthenticated attacker to provide arbitrary local filesystem paths to the ‘pp’ parameter. As a result, the server will attempt to read and return the contents of the specified file, provided that the service account has the necessary permissions. Furthermore, on Windows deployments, providing a UNC path (e.g., \\attacker.example.com\share\file) in the ‘pp’ parameter will coerce the server to initiate an SMB connection to the attacker-controlled host, potentially exposing NTLM credentials.
CVSS Analysis
Currently, a CVSS score for CVE-2025-34350 is not available (N/A). However, based on the severity and potential impact of the vulnerability, it is expected to be rated as High to Critical. We will update this section as soon as the official CVSS score is released.
Possible Impact
The successful exploitation of CVE-2025-34350 can have significant consequences, including:
- Sensitive Information Disclosure: Attackers can read configuration files, application data, or other sensitive information stored on the server.
- NTLM Credential Theft: By coercing SMB authentication, attackers can capture NTLM hashes for offline cracking or relay attacks, potentially gaining unauthorized access to other systems on the network.
- Lateral Movement: Stolen credentials or discovered information can be used to move laterally within the network, compromising additional systems and data.
Mitigation and Patch Steps
The recommended mitigation is to upgrade UnForm Server to version 10.1.15 or later as soon as possible. This version contains a patch that addresses the vulnerability. The patch includes proper input validation and authentication checks to prevent unauthorized file access and SMB coercion.
- Download the latest version: Obtain the latest version of UnForm Server (10.1.15 or higher) from the official UnForm website.
- Install the update: Follow the vendor’s instructions for installing the update.
- Verify the installation: After the update is complete, verify that the server is running version 10.1.15 or higher.
If upgrading is not immediately feasible, consider implementing temporary workarounds such as network segmentation and access control lists to restrict access to the UnForm Server.
