CVE-2025-70364
Authenticated PHP Code Execution in Kiamo Before
Publication date: 2026-04-09
Last updated on: 2026-04-22
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kiamo | kiamo | to 8.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-70364 is a high-severity vulnerability in Kiamo versions prior to 8.4 that allows authenticated administrative users to execute arbitrary PHP code on the server.
The vulnerability exists in an administrative feature called "Script" within the "Tools" section, which permits execution of PHP scripts.
An attacker with administrator privileges can exploit this feature to run malicious PHP code, such as a reverse shell payload, enabling remote control of the server.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized remote access and control over the affected server.
By exploiting the vulnerability, an attacker can execute arbitrary PHP code, potentially leading to data theft, system compromise, and further exploitation within the network.
For example, the attacker can deploy a reverse shell that allows them to interactively control the server, escalating their access and performing malicious activities.
Until patched, systems remain at risk if administrative access is not tightly controlled and monitored.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for the use of the administrative "Script" feature in Kiamo prior to version 8.4, which allows execution of arbitrary PHP code. Specifically, detection involves looking for suspicious PHP script execution or unusual outbound connections initiated by the server.
One way to detect exploitation attempts is to monitor for outbound reverse shell connections from the server to unknown IP addresses, especially on uncommon ports such as 4444.
A sample command to detect active reverse shell connections on a Linux server could be:
- netstat -tnp | grep ESTABLISHED
Additionally, reviewing web server or application logs for calls to the PHPEditor.init() callback function or execution of PHP scripts via the administrative interface may help identify exploitation.
Since the exploit uses PowerShell commands for the reverse shell, monitoring Windows event logs or PowerShell logs for suspicious commands similar to the payload can also be useful.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the official patch released in Kiamo version 8.4, which restricts the PHP script execution functionality to prevent arbitrary code execution.
Until the patch can be applied, it is advised to limit access to the administrative interfaces, especially the "Tools" section containing the "Script" feature, to trusted users only.
Additionally, monitoring and restricting outbound network connections from the server can help prevent reverse shell connections to attacker-controlled machines.
Implementing network segmentation and firewall rules to block unexpected outbound traffic on ports like 4444 can reduce the risk of exploitation.