CVE-2019-25647
Remote Code Execution in PhreeBooks 5.2.3 Image Manager
Publication date: 2026-03-24
Last updated on: 2026-03-25
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phreesoft | phreebookserp | 5.2.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2019-25647 is a remote code execution vulnerability in PhreeBooks ERP version 5.2.3, specifically in the image manager component.
Authenticated attackers can bypass file extension controls to upload arbitrary PHP files through the image manager endpoint.
Once these malicious PHP files are uploaded, attackers can execute them on the server to run system commands and establish reverse shell connections, effectively gaining control over the system.
How can this vulnerability impact me? :
This vulnerability allows attackers with authenticated access to execute arbitrary code on the server hosting PhreeBooks ERP.
The impact includes the potential for attackers to run system commands, establish reverse shell connections, and gain unauthorized control over the affected system.
Such control can lead to data breaches, system compromise, disruption of services, and further exploitation within the network.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unauthorized or suspicious PHP file uploads through the image manager endpoint of PhreeBooks ERP 5.2.3. Since attackers bypass file extension controls to upload arbitrary PHP files, checking the upload directories for unexpected PHP files is a key detection method.'}, {'type': 'paragraph', 'content': 'Additionally, network monitoring for unusual reverse shell connections or unexpected system command executions originating from the server may indicate exploitation attempts.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect suspicious files or activity include:'}, {'type': 'list_item', 'content': "Find PHP files in the image upload directory (example path /var/www/phreebooks/uploads):\nfind /var/www/phreebooks/uploads -type f -name '*.php'"}, {'type': 'list_item', 'content': "Check web server access logs for POST requests to the image manager endpoint that include PHP file uploads:\ngrep 'POST' /var/log/apache2/access.log | grep 'image_manager'"}, {'type': 'list_item', 'content': "Monitor active network connections for suspicious reverse shell activity:\nnetstat -tnp | grep 'ESTABLISHED'"}, {'type': 'list_item', 'content': 'Check running processes for unexpected PHP or shell processes:\nps aux | grep php\nps aux | grep sh'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or disabling the image manager upload functionality until a patch or fix is applied.
Ensure that file upload controls properly validate and restrict file types to prevent uploading of executable PHP files.
Limit access to the image manager endpoint to only trusted authenticated users with the minimum necessary privileges.
Monitor and remove any suspicious PHP files found in upload directories and review logs for signs of exploitation.
Apply any available security patches or updates from the vendor as soon as they are released.