CVE-2025-34350

HIGH EPSS 54.3%
Published Nov 25, 20257mo ago · Modified Jun 17, 20262w ago
8.7 CVSS 4.0
High
Find Similar
Published Nov 25, 2025 7mo ago
Last Modified Jun 17, 2026 2w ago

Description

UnForm Server versions < 10.1.15 contain an unauthenticated arbitrary file read and SMB coercion vulnerability in the Doc Flow feature’s 'arc' endpoint. The Doc Flow module uses the 'arc' handler to retrieve and render pages or resources specified by the user-supplied 'pp' parameter, but it does so without enforcing authentication or restricting path inputs. As a result, an unauthenticated remote attacker can supply local filesystem paths to read arbitrary files accessible to the service account. On Windows deployments, providing a UNC path can also coerce the server into initiating outbound SMB authentication, potentially exposing NTLM credentials for offline cracking or relay. This issue may lead to sensitive information disclosure and, in some environments, enable further lateral movement.

CVSS Details

Base Score
8.7
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
54.3% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 2

CWE-22 Path Traversal Resource Mgmt
CWE-918 Server-Side Request Forgery (SSRF) Validation

References 2

  • unform.com https://unform.com/download/uf101_readme.txt
  • vulncheck.com https://www.vulncheck.com/advisories/unform-server-doc-flow-unauthenticated-file-read

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.