CVE-2025-15423
Unrestricted File Upload in EmpireSoft EmpireCMS CheckSaveTranFiletype
Publication date: 2026-01-02
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| empiresoft | empirecms | to 8.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-15423 is a file upload restriction bypass vulnerability in EmpireSoft EmpireCMS up to version 8.0. It exists in the CheckSaveTranFiletype() function in the file e/class/connect.php, which uses a blacklist to block dangerous file types but fails to block critical files such as .htaccess and .user.ini. This allows an attacker with member-level privileges to upload malicious configuration files that enable Remote Code Execution (RCE) on Apache and Nginx servers. For example, on Apache, uploading a .htaccess file can enable PHP execution for files with a .jpg extension, allowing an attacker to upload a webshell and execute arbitrary commands. On Nginx with PHP-FPM, uploading a .user.ini file can cause PHP to automatically include malicious code, facilitating code execution. The vulnerability also bypasses checks for .php. (trailing dot) and .php::$DATA (NTFS Alternate Data Stream) on Windows systems. The impact includes arbitrary system command execution, file read/write access, full server compromise, and exposure of sensitive data. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to unrestricted file uploads of malicious configuration files, enabling attackers to execute arbitrary code remotely on the affected server. This can result in full server compromise, including the ability to run system commands, read and write files, and access sensitive information such as database credentials. Ultimately, this can lead to loss of confidentiality, integrity, and availability of the system and data hosted on the server. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by searching for the presence of the vulnerable file e/class/connect.php in EmpireCMS installations and by checking for suspicious uploaded files such as .htaccess, .user.ini, or files with extensions like .php. or .php::$DATA that bypass the blacklist. Additionally, Google Dorking can be used to identify vulnerable targets using queries like inurl:e/class/connect.php. On the system, you can look for unexpected .htaccess or .user.ini files in upload directories or check web server logs for unusual requests to files like shell.jpg with command parameters. Example commands include: 1) Using find to locate suspicious files: find /var/www/html -type f \( -name ".htaccess" -o -name ".user.ini" -o -name "*.php." -o -name "*.php::$DATA" \) 2) Using grep to search for suspicious PHP code in uploaded files: grep -r "<?php system" /var/www/html/uploads/ 3) Using Google Dork: inurl:e/class/connect.php to find potentially vulnerable sites. [3, 1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include extending the blacklist in the CheckSaveTranFiletype() function to explicitly block .htaccess and .user.ini files, which are currently not blocked. Ideally, replace the blacklist approach with a whitelist validation function that only allows safe file extensions such as .jpg, .jpeg, .png, .gif, .bmp, .pdf, .doc, .docx, .xls, .xlsx, .txt, .zip, and .rar. Additionally, restrict file upload permissions to trusted users only, disable AllowOverride in Apache to prevent .htaccess from being processed if possible, and monitor upload directories for suspicious files. Since no vendor patch or official fix is available, these steps help reduce the risk of exploitation. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows attackers to upload malicious files leading to remote code execution, full server compromise, and exposure of database credentials and sensitive data. Such exposure and unauthorized access to sensitive personal or protected health information could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive data against unauthorized access and breaches. Therefore, exploitation of this vulnerability can negatively impact compliance with these standards by risking confidentiality and integrity of protected data. [1, 3]