The vulnerability stems from the server’s failure to enforce the readonly flag set on the <efw:elFinder> JSP tag. While the flag correctly disables UI elements and signs metadata as read‑only, the server does not verify the flag before performing write operations. Consequently, an attacker can send crafted HTTP requests directly to the file operation endpoints, bypassing the UI entirely, and perform any file system action—including upload, edit, rename, or delete—despite the readonly setting. This flaw represents a consistent access control violation (CWE‑863) that permits unauthorized modification of application data, potentially leading to confidentiality, integrity, and availability compromise.

The issue affects the efwGrp efw4.X framework, specifically versions released before 4.08.010. All deployments of this framework that rely on the readonly mechanism for preventing file modifications are vulnerable until they upgrade to the patched release.

The CVSS base score of 8.1 positions this flaw in the high‑risk category, and while the EPSS score is not available, the lack of mitigation in the exploited framework makes successful exploitation likely for attackers who can interact with the affected endpoints. The vulnerability is not listed in CISA's KEV catalog, but the combination of a high CVSS score, the nature of the impact, and the absence of immediate protection suggests that an attacker can realistically compromise file systems using remote HTTP requests if the application remains on an affected version.