Vulnerability Description
UnForm Server versions < 10.1.15 contain an unauthenticated arbitrary file read and SMB coercion vulnerability in the Doc Flow feature’s 'arc' endpoint. The Doc Flow module uses the 'arc' handler to retrieve and render pages or resources specified by the user-supplied 'pp' parameter, but it does so without enforcing authentication or restricting path inputs. As a result, an unauthenticated remote attacker can supply local filesystem paths to read arbitrary files accessible to the service account. On Windows deployments, providing a UNC path can also coerce the server into initiating outbound SMB authentication, potentially exposing NTLM credentials for offline cracking or relay. This issue may lead to sensitive information disclosure and, in some environments, enable further lateral movement.
Related Weaknesses (CWE)
References
- https://unform.com/download/uf101_readme.txt
- https://www.vulncheck.com/advisories/unform-server-doc-flow-unauthenticated-file
FAQ
What is CVE-2025-34350?
CVE-2025-34350 is a documented vulnerability. UnForm Server versions < 10.1.15 contain an unauthenticated arbitrary file read and SMB coercion vulnerability in the Doc Flow feature’s 'arc' endpoint. The Doc Flow module uses the 'arc' handler to r...
How severe is CVE-2025-34350?
CVSS scoring is not yet available for CVE-2025-34350. Check NVD for updates.
Is there a patch for CVE-2025-34350?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.