CVE-2025-52207 in MikoPBX
Summary
by MITRE • 06/27/2025
PBXCoreREST/Controllers/Files/PostController.php in MikoPBX through 2024.1.114 allows uploading a PHP script to an arbitrary directory.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/28/2025
The vulnerability identified as CVE-2025-52207 resides within the PBXCoreREST component of MikoPBX versions up to and including 2024.1.114. This issue manifests in the Files/PostController.php file which handles file upload operations, creating a critical security gap that enables remote attackers to execute arbitrary code on the affected system. The flaw represents a classic insecure file upload vulnerability that directly violates fundamental security principles of input validation and access control.
The technical implementation of this vulnerability stems from insufficient validation of file uploads within the PostController.php script. Attackers can exploit this weakness by uploading malicious PHP scripts to arbitrary directories within the application's file system. This occurs because the application fails to properly sanitize file names, validate file types, or restrict upload destinations. The vulnerability operates at the application layer and can be leveraged by remote unauthenticated attackers without requiring any special privileges or credentials to exploit.
The operational impact of CVE-2025-52207 is severe and potentially devastating for affected organizations. Successful exploitation allows attackers to achieve remote code execution capabilities, enabling them to execute arbitrary commands on the target system with the privileges of the web application user. This could lead to complete system compromise, data exfiltration, lateral movement within the network, and establishment of persistent backdoors. The arbitrary directory upload capability significantly amplifies the risk as attackers can place malicious files in critical system locations rather than being limited to specific upload directories.
This vulnerability aligns with CWE-434, which describes insecure file upload conditions where applications fail to properly validate file types or restrict upload locations. The flaw also maps to ATT&CK technique T1505.003 for "Download and Execute" and T1059.007 for "Command and Scripting Interpreter: PowerShell" when attackers leverage the uploaded PHP scripts for further exploitation. Organizations should consider implementing comprehensive input validation, file type restrictions, and proper access controls to prevent unauthorized file uploads. The recommended mitigations include restricting file upload capabilities to authenticated users only, implementing strict file type validation, using random or sanitized file names, and configuring proper directory permissions to prevent arbitrary directory traversal during file uploads.