Can you explain this vulnerability to me?

CVE-2026-41202 is a vulnerability in the ci4ms Backup::restore function, which is part of the CodeIgniter 4-based CMS called CI4MS. The issue is a Zip Slip path traversal flaw that occurs because the restore function extracts user-uploaded ZIP archives without validating the entry names. This allows an authenticated backend user with backup creation permissions to upload a malicious ZIP file containing entries with path traversal sequences (e.g., ../../public/shell.php).

When the ZIP is extracted, files can be written to arbitrary locations on the filesystem, including the public web root. This enables the attacker to drop a PHP shell file and achieve remote code execution (RCE) by executing arbitrary commands on the server. The vulnerability is worsened by the fact that the restore endpoint is excluded from CSRF protection, allowing cross-site request forgery attacks that can trigger the restore action without the user's intent.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can have severe impacts including full server compromise. An attacker who exploits this flaw can write arbitrary files anywhere under the application root, including placing malicious PHP shells in the public web directory.

This leads to remote code execution, allowing the attacker to execute arbitrary commands on the server. They can access sensitive data such as database credentials stored in configuration files, manipulate site content, and potentially disrupt the availability and integrity of the system.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking if your system is running a vulnerable version of ci4ms (version 0.31.4.0 or earlier) and if the Backup::restore functionality is accessible to authenticated users with backup create permissions.

You can look for suspicious ZIP file uploads containing path traversal sequences (e.g., ../../public/shell.php) in backup restore requests, especially targeting the endpoint backend/backup/restore.

To detect exploitation attempts or presence of malicious files, you can search your web root for unexpected PHP files that may have been dropped by an attacker.

• Check the ci4ms version installed: `grep 'version' path/to/ci4ms/version/file` or check your package manager.
• Monitor web server logs for POST requests to `backend/backup/restore` endpoint.
• Search for suspicious PHP files in the public web root: `find /path/to/public/webroot -name '*.php' -exec grep -l 'shell' {} +`
• Inspect uploaded ZIP files for path traversal entries: unzip -l suspicious_backup.zip | grep '\.\./'

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate and most effective mitigation is to upgrade ci4ms to version 0.31.5.0 or later, where this vulnerability has been patched.

Restrict backup creation permissions to trusted users only, minimizing the risk of exploitation by unauthorized or less trusted users.

Implement additional security controls such as CSRF protection on the backup restore endpoint to prevent cross-site request forgery attacks.

Audit your system for any malicious files that may have been uploaded via this vulnerability and remove them immediately.

Monitor logs for suspicious activity related to backup restore operations and unauthorized file writes.

Useful 0 Not Useful 0