CVE-2025-11023 in AcBakImzala
Summary
by MITRE • 10/23/2025
Inclusion of Functionality from Untrusted Control Sphere, Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ArkSigner Software and Hardware Inc. AcBakImzala allows PHP Local File Inclusion.
This issue affects AcBakImzala: before v5.1.4.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/04/2026
This vulnerability represents a critical security flaw in the AcBakImzala backup solution developed by ArkSigner Software and Hardware Inc. The issue stems from improper handling of file inclusion directives within PHP applications, specifically allowing attackers to manipulate include/require statements that should only reference trusted local files. The vulnerability falls under the CWE-98 category of "Inclusion of Functionality from Untrusted Control Sphere" and represents a classic PHP Remote File Inclusion (RFI) vector that has been widely exploited in web application attacks. The flaw manifests when the application accepts user-supplied input to determine which files to include, creating an opportunity for remote code execution through malicious file inclusion.
The technical implementation of this vulnerability occurs within the PHP application's file handling mechanisms where user-controllable parameters are directly passed to include or require statements without proper validation or sanitization. This allows an attacker to inject arbitrary file paths or URLs that the application will attempt to include and execute as PHP code. The vulnerability specifically affects versions prior to v5.1.4 of the AcBakImzala software, indicating that this was a known issue that was subsequently patched by the vendor. Attackers can leverage this weakness to execute arbitrary commands on the server, potentially gaining full control over the backup system and accessing sensitive data stored within the backup environment. The flaw is particularly dangerous because it can be exploited without authentication, making it an attractive target for automated attacks.
The operational impact of this vulnerability extends beyond simple code execution to encompass complete system compromise and data exfiltration capabilities. An attacker who successfully exploits this vulnerability can gain access to backup files, potentially including sensitive customer data, system configurations, and credentials stored in the backup repositories. This represents a significant risk to organizations relying on the AcBakImzala solution for their backup and recovery operations, as it could lead to data breaches, system downtime, and regulatory compliance violations. The vulnerability aligns with ATT&CK technique T1190 "Exploit Public-Facing Application" and T1059.007 "Command and Scripting Interpreter: PowerShell" when attackers use the included functionality to establish persistent access and execute malicious payloads.
Organizations affected by this vulnerability should immediately upgrade to version 5.1.4 or later to receive the vendor-provided patch that addresses the improper file inclusion handling. The mitigation strategy should include implementing proper input validation and sanitization for all user-supplied parameters that could influence file inclusion decisions. Network segmentation and access controls should be enforced to limit exposure of the backup system to untrusted networks, while monitoring should be implemented to detect suspicious file inclusion patterns. Security teams should also consider implementing web application firewalls to block known malicious patterns and establish regular vulnerability scanning procedures to identify similar issues in other applications. The incident highlights the importance of secure coding practices and proper input validation in preventing remote code execution vulnerabilities that can lead to complete system compromise.