CVE-2019-25471
Received Received - Intake
Arbitrary File Upload in FileThingie 2.5.7 Enables Remote Code Execution

Publication date: 2026-03-11

Last updated on: 2026-04-13

Assigner: VulnCheck

Description
FileThingie 2.5.7 contains an arbitrary file upload vulnerability that allows attackers to upload malicious files by sending ZIP archives through the ft2.php endpoint. Attackers can upload ZIP files containing PHP shells, use the unzip functionality to extract them into accessible directories, and execute arbitrary commands through the extracted PHP files.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-15
NVD
CVE-2019-25471
EUVD
EUVD-2019-19746
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
leefish file_thingie to 2.5.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by checking for the presence of uploaded malicious ZIP files and extracted PHP shells on the server, especially through the vulnerable endpoint /filethingy/ft2.php.

You can attempt to detect if the exploit has been used by sending HTTP GET requests to potential locations of the uploaded PHP shell and observing the responses.

  • Send a GET request to /filethingie/folders/tester/cmdshell.php with a command parameter, for example: GET /filethingie/folders/tester/cmdshell.php?cmd=whoami to check if the shell executes commands.
  • Check for suspicious ZIP file uploads by monitoring POST requests to /filethingie/ft2.php containing ZIP files.
  • Look for extracted PHP files in writable directories such as /tester or other accessible folders.
Mitigation Strategies

Immediate mitigation steps include disabling or restricting the file upload and unzip functionality on the vulnerable endpoint /filethingie/ft2.php to prevent arbitrary file uploads.

Remove any suspicious uploaded ZIP files and extracted PHP shells from the server to eliminate existing backdoors.

Restrict write permissions on directories accessible by the web server to prevent extraction of malicious files.

Monitor web server logs for unusual POST requests uploading ZIP files and GET requests accessing suspicious PHP scripts.

Apply patches or upgrade FileThingie to a version that fixes this vulnerability once available.

Executive Summary

FileThingie 2.5.7 contains an arbitrary file upload vulnerability that allows attackers to upload malicious ZIP archives through the ft2.php endpoint.

Attackers can upload ZIP files containing PHP shells, then use the unzip functionality to extract these files into accessible directories on the server.

Once extracted, the attacker can execute arbitrary commands on the server by accessing the uploaded PHP shell scripts remotely.

Impact Analysis

This vulnerability can lead to full remote code execution on the server hosting FileThingie.

  • Attackers can run arbitrary system commands remotely.
  • Sensitive files on the server, such as /etc/passwd, can be read by the attacker.
  • The server and its data can be completely compromised, potentially leading to data theft, service disruption, or further attacks on connected systems.
Compliance Impact

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25471. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart