CVE-2025-69906
Arbitrary File Upload in Monstra CMS Files Manager Enables RCE
Publication date: 2026-02-05
Last updated on: 2026-02-11
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| monstra | monstra_cms | 3.0.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-69906 is an arbitrary file upload vulnerability in Monstra CMS version 3.0.4, specifically in the Files Manager plugin.
The vulnerability exists because the application uses a blacklist-based file extension validation that can be bypassed by attackers using techniques such as case variations, double extensions, null byte injection, and non-standard PHP extensions.
Uploaded files are stored directly in a web-accessible directory without proper sanitization or renaming, allowing an attacker with authenticated access to upload malicious files that can be executed as code on the server.
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution (RCE) on the affected server.
- An attacker with authenticated access to the Files Manager can upload a malicious PHP webshell.
- The webshell can be executed remotely, allowing the attacker to run arbitrary PHP code.
- Potential impacts include full server compromise, privilege escalation, and information disclosure such as reading sensitive configuration files.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for the presence of suspicious files uploaded to the web-accessible /public/files/ directory, especially files with extensions that bypass the blacklist (e.g., .PHP, .php7, .phtml, or files with double extensions like .php.jpg).'}, {'type': 'paragraph', 'content': 'You can also look for signs of remote code execution attempts or webshell activity by monitoring web server logs for requests to such uploaded files.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect suspicious files include:'}, {'type': 'list_item', 'content': 'Find files with suspicious extensions or double extensions in the upload directory: find /path/to/monstra/public/files/ -type f \\( -iname "*.php*" -o -iname "*.phtml" \\)'}, {'type': 'list_item', 'content': "Search for files with null byte injection attempts in filenames (if filesystem supports it): ls -l | grep $'\\x00'"}, {'type': 'list_item', 'content': 'Check web server access logs for requests to suspicious files: grep -iE "\\.php|\\.phtml" /var/log/apache2/access.log'}, {'type': 'list_item', 'content': 'Look for recently modified or created files in the upload directory: find /path/to/monstra/public/files/ -type f -mtime -7'}] [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Disable the Files Manager plugin entirely to prevent any file uploads through the vulnerable interface.
- Implement a whitelist of allowed file extensions for uploads, such as only permitting image files like PNG or JPEG.
- Rename uploaded files using unique identifiers (e.g., using uniqid()) and enforce safe extensions like .jpg to prevent execution.
- Store uploaded files outside the web root directory to prevent direct web access and execution.
- Consider migrating to a maintained CMS platform since Monstra CMS has been unmaintained since 2018.