CVE-2025-52207
BaseFortify
Publication date: 2025-06-27
Last updated on: 2025-06-30
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-23 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in MikoPBX allows an attacker to upload a PHP script to an arbitrary directory on the server via the file upload functionality in PBXCoreREST/Controllers/Files/PostController.php. The issue arises because the file upload identifier was not properly sanitized or validated, enabling directory traversal and arbitrary file placement. This could allow execution of malicious PHP code on the server. The fix involved sanitizing and validating the upload identifier to prevent directory traversal and restrict uploads to safe paths. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to upload and execute arbitrary PHP scripts on the MikoPBX server. This can lead to full compromise of the system, including unauthorized access, data theft, service disruption, or further attacks within the network. Given the high CVSS score (9.9), the impact includes complete confidentiality, integrity, and availability loss.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for attempts to upload PHP scripts to arbitrary directories via the vulnerable endpoint in MikoPBX, specifically targeting the Files/PostController.php upload functionality. Detection can include checking web server logs or application logs for suspicious file upload requests containing PHP files or unusual 'resumableIdentifier' parameters with directory traversal patterns (e.g., '..', '/', '\'). Commands to help detect such attempts might include: 1) Using grep to find PHP upload attempts in logs: `grep -iE "\.php" /var/log/httpd/access_log` or `grep -i "resumableIdentifier" /var/log/httpd/access_log` 2) Using network monitoring tools like tcpdump or Wireshark to capture HTTP POST requests to the upload endpoint and inspecting payloads for PHP scripts. 3) Using intrusion detection systems (IDS) with rules to detect file upload attempts with suspicious filenames or directory traversal sequences. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the official patch that sanitizes and validates the 'resumableIdentifier' parameter in the uploadFile() method of PBXCoreREST/Controllers/Files/PostController.php to prevent directory traversal and arbitrary PHP script uploads. If patching is not immediately possible, restrict or disable file upload functionality temporarily, especially for untrusted users. Additionally, implement web application firewall (WAF) rules to block requests containing suspicious file upload patterns or directory traversal sequences. Monitoring and blocking suspicious IP addresses attempting such uploads can also help mitigate risk. [1]