CVE-2025-8255
BaseFortify
Publication date: 2025-07-28
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| code-projects | exam_form_submission | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-8255 is a critical file upload vulnerability in the Exam Form Submission 1.0 application, specifically in the /register.php file. The vulnerability arises from improper validation of the 'image' argument, allowing attackers to upload malicious PHP scripts such as AntSword webshells by bypassing file type and content checks. Once uploaded, attackers can remotely connect to the system using the AntSword client, execute arbitrary system commands, browse the file system, and steal sensitive data, effectively gaining full control over the compromised system. [1, 3]
How can this vulnerability impact me? :
This vulnerability can lead to a full system compromise. Attackers can execute arbitrary commands on the affected system, access and steal sensitive data such as database configuration files and user information, escalate privileges, move laterally within internal networks, and maintain persistence by uploading additional backdoors. The attack can be performed remotely without authentication, making it highly accessible and dangerous. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by searching for suspicious file uploads and webshell activity. You can look for uploaded PHP files in web-accessible directories such as /uploads/. Commands to detect potentially malicious uploads include: 1) Finding recently uploaded PHP files: `find /var/www/html/uploads/ -name '*.php' -type f -mtime -7` 2) Searching web server logs for POST requests to /register.php that include suspicious payloads or filenames ending with .php: `grep 'POST /register.php' /var/log/apache2/access.log | grep '.php'` 3) Detecting AntSword webshell activity by searching for POST parameters starting with Base64 encoded strings like 'a=ZXZ': `grep -r 'a=ZXZ' /var/log/apache2/` 4) Monitoring for usage of dangerous PHP functions such as eval or base64_decode in uploaded files or logs. Additionally, deploying Web Application Firewall (WAF) rules to detect AntSword-specific payloads and using Endpoint Detection and Response (EDR) tools to monitor PHP execution in upload directories can help detect exploitation attempts. [3, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Blocking uploads of PHP and related script files by configuring the web server to deny execution of files with extensions like .php, .php3, .php5, and .phtml. For example, in Apache: `<FilesMatch "\.(php|php3|php5|phtml)$"> Require all denied </FilesMatch>`. 2) Implementing Web Application Firewall (WAF) rules to detect and block AntSword-specific payloads, such as those containing `eval(base64_decode` or POST parameters starting with `a=ZXZ`. 3) Monitoring and logging suspicious requests containing dangerous functions like eval and base64_decode. 4) Removing any existing malicious uploaded files and scanning the system for backdoors. 5) Considering replacing the affected product with a secure alternative, as no known countermeasures are reported. These steps help prevent exploitation while longer-term fixes like proper file validation and secure storage are developed. [3, 2]