The Ministry of Digital Affairs said on Wednesday that serious software weaknesses and the end of vendor support create “a real risk of a critical incident” and threaten state security.
The recommendation covers operators of essential services, digital service providers, and research institutes designated under Poland’s National Cybersecurity System Act.
That law, adopted in 2018, defines sectors such as energy, transport, banking, water and wastewater, healthcare and digital infrastructure as essential.
PAD CMS is a content management system used to build and run websites, including Public Information Bulletin (BIP) pages which host mandatory public notices.
The platform was developed under a project run by the Widzialni Foundation with past backing from the Ministry of Digital Affairs.
With the software now at end-of-life, critical defects will not be patched, the ministry warned.
The decision followed consultations with Poland’s three Computer Security Incident Response Teams, known as CSIRTs: CSIRT NASK, operated by the NASK research institute, CSIRT GOV, serving government administration, and CSIRT MON at the Ministry of Defense.
A CSIRT is a specialist team that manages cybersecurity incidents and coordinates response.
Security researchers and Poland’s national incident team have documented multiple vulnerabilities in PAD CMS.
One newly listed flaw allows passwords to be reset improperly, affecting all template variants used for standard websites and BIP.
Another enables a cross-site request forgery that can change a logged-in user’s password.
The National Vulnerability Database lists the issues under CVE-2025-8117 and CVE-2025-8119, and CERT Polska has coordinated disclosure of several PAD CMS bugs.
The Ministry of Digital Affairs said continued use of unsupported, vulnerable software could harm public safety and the vital interests of the state.
It urged affected institutions to disable PAD CMS without delay and migrate their sites to supported platforms.
(rt)
Source: PAP