CVE-2019-25471
Received Received - Intake

Arbitrary File Upload in FileThingie 2.5.7 Enables Remote Code Execution

Vulnerability report for CVE-2019-25471, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-11

Last updated on: 2026-04-13

Assigner: VulnCheck

Description

FileThingie 2.5.7 contains an arbitrary file upload vulnerability that allows attackers to upload malicious files by sending ZIP archives through the ft2.php endpoint. Attackers can upload ZIP files containing PHP shells, use the unzip functionality to extract them into accessible directories, and execute arbitrary commands through the extracted PHP files.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-11
Last Modified
2026-04-13
Generated
2026-07-06
AI Q&A
2026-03-11
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
leefish file_thingie to 2.5.7 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

FileThingie 2.5.7 contains an arbitrary file upload vulnerability that allows attackers to upload malicious ZIP archives through the ft2.php endpoint.

Attackers can upload ZIP files containing PHP shells, then use the unzip functionality to extract these files into accessible directories on the server.

Once extracted, the attacker can execute arbitrary commands on the server by accessing the uploaded PHP shell scripts remotely.

Impact Analysis

This vulnerability can lead to full remote code execution on the server hosting FileThingie.

  • Attackers can run arbitrary system commands remotely.
  • Sensitive files on the server, such as /etc/passwd, can be read by the attacker.
  • The server and its data can be completely compromised, potentially leading to data theft, service disruption, or further attacks on connected systems.
Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by checking for the presence of uploaded malicious ZIP files and extracted PHP shells on the server, especially through the vulnerable endpoint /filethingy/ft2.php.

You can attempt to detect if the exploit has been used by sending HTTP GET requests to potential locations of the uploaded PHP shell and observing the responses.

  • Send a GET request to /filethingie/folders/tester/cmdshell.php with a command parameter, for example: GET /filethingie/folders/tester/cmdshell.php?cmd=whoami to check if the shell executes commands.
  • Check for suspicious ZIP file uploads by monitoring POST requests to /filethingie/ft2.php containing ZIP files.
  • Look for extracted PHP files in writable directories such as /tester or other accessible folders.
Mitigation Strategies

Immediate mitigation steps include disabling or restricting the file upload and unzip functionality on the vulnerable endpoint /filethingie/ft2.php to prevent arbitrary file uploads.

Remove any suspicious uploaded ZIP files and extracted PHP shells from the server to eliminate existing backdoors.

Restrict write permissions on directories accessible by the web server to prevent extraction of malicious files.

Monitor web server logs for unusual POST requests uploading ZIP files and GET requests accessing suspicious PHP scripts.

Apply patches or upgrade FileThingie to a version that fixes this vulnerability once available.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25471. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart