CVE-2025-70364
Received Received - Intake
Authenticated PHP Code Execution in Kiamo Before

Publication date: 2026-04-09

Last updated on: 2026-04-22

Assigner: MITRE

Description
An issue was discovered in Kiamo before 8.4 allowing authenticated administrative attackers to execute arbitrary PHP code on the server. NOTE: the Supplier's position is that this is "a historical and intended administrative feature of the product, accessible only to already authenticated users explicitly granted administrator privileges." However, restrictions on some PHP functions were added in 8.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-15
NVD
CVE-2025-70364
EUVD
EUVD-2025-209386
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kiamo kiamo to 8.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2025-70364 is a high-severity vulnerability in Kiamo versions prior to 8.4 that allows authenticated administrative users to execute arbitrary PHP code on the server.

The vulnerability exists in an administrative feature called "Script" within the "Tools" section, which permits execution of PHP scripts.

An attacker with administrator privileges can exploit this feature to run malicious PHP code, such as a reverse shell payload, enabling remote control of the server.

Impact Analysis

This vulnerability can have serious impacts including unauthorized remote access and control over the affected server.

By exploiting the vulnerability, an attacker can execute arbitrary PHP code, potentially leading to data theft, system compromise, and further exploitation within the network.

For example, the attacker can deploy a reverse shell that allows them to interactively control the server, escalating their access and performing malicious activities.

Until patched, systems remain at risk if administrative access is not tightly controlled and monitored.

Detection Guidance

This vulnerability can be detected by monitoring for the use of the administrative "Script" feature in Kiamo prior to version 8.4, which allows execution of arbitrary PHP code. Specifically, detection involves looking for suspicious PHP script execution or unusual outbound connections initiated by the server.

One way to detect exploitation attempts is to monitor for outbound reverse shell connections from the server to unknown IP addresses, especially on uncommon ports such as 4444.

A sample command to detect active reverse shell connections on a Linux server could be:

  • netstat -tnp | grep ESTABLISHED

Additionally, reviewing web server or application logs for calls to the PHPEditor.init() callback function or execution of PHP scripts via the administrative interface may help identify exploitation.

Since the exploit uses PowerShell commands for the reverse shell, monitoring Windows event logs or PowerShell logs for suspicious commands similar to the payload can also be useful.

Mitigation Strategies

Immediate mitigation steps include applying the official patch released in Kiamo version 8.4, which restricts the PHP script execution functionality to prevent arbitrary code execution.

Until the patch can be applied, it is advised to limit access to the administrative interfaces, especially the "Tools" section containing the "Script" feature, to trusted users only.

Additionally, monitoring and restricting outbound network connections from the server can help prevent reverse shell connections to attacker-controlled machines.

Implementing network segmentation and firewall rules to block unexpected outbound traffic on ports like 4444 can reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-70364. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart