CVE-2025-50881
Remote Code Execution in Use It Flow Admin Moniteur.php
Publication date: 2026-03-16
Last updated on: 2026-03-17
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| use_it_flow | flow | to 10.0.0 (exc) |
| api_sas | use_it_flow | 8.2.0 |
| api_sas | use_it_flow | 9.2.0 |
| api_sas | use_it_flow | to 10.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-50881 is a critical Remote Code Execution (RCE) vulnerability in the Use It Flow administration website, specifically in the script flow/admin/moniteur.php before version 10.0.0.
The vulnerability occurs because the script takes user input from the action URL parameter in GET requests and performs insufficient validation before executing it with the eval() function.
Although the script checks if the method exists using method_exists(), it only validates the part of the input before the first parenthesis, allowing an attacker to append arbitrary PHP code after a valid method call.
This flaw allows an unauthenticated or trivially authenticated attacker to execute arbitrary PHP code on the server with the privileges of the web server process.
How can this vulnerability impact me? :
Successful exploitation of this vulnerability allows an attacker to execute arbitrary PHP code on the server with the same privileges as the web server process.
- Full system compromise
- Data theft
- Data modification or deletion
- Installation of malware or backdoors
- Using the compromised server to attack other systems
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring HTTP GET requests to the script `flow/admin/moniteur.php` that include the `action` parameter with suspicious payloads. Specifically, look for requests where the `action` parameter starts with a valid method name followed by additional PHP code, such as appended function calls or PHP statements.'}, {'type': 'paragraph', 'content': 'A practical detection approach is to inspect web server logs or use network monitoring tools to filter requests matching the pattern of the exploit payload.'}, {'type': 'list_item', 'content': "Use command-line tools like `grep` or `awk` on web server logs to find suspicious `action` parameters, for example: `grep 'action=' /var/log/apache2/access.log | grep -E 'get_data\\(.*\\);'`"}, {'type': 'list_item', 'content': 'Use network monitoring tools such as `tcpdump` or `Wireshark` to capture HTTP GET requests to `moniteur.php` and analyze the `action` parameter for injected PHP code.'}, {'type': 'list_item', 'content': 'Example of a suspicious request to look for: `GET /admin/moniteur.php?login=foo&password=bar&action=get_data(1);phpinfo();$res=0;`'}] [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable script and preventing exploitation of the `action` parameter.
- Block or restrict HTTP GET requests to `flow/admin/moniteur.php` from untrusted networks or users using firewall rules or web server access controls.
- Disable or restrict the use of the `action` parameter in GET requests until a patch or update is applied.
- Apply the official update or patch to Use It Flow administration website to version 10.0.0 or later, which fixes the vulnerability.
- Monitor logs for suspicious activity and immediately investigate any attempts to exploit the vulnerability.