cbcvebase.
CVE-2025-1025
published 2025-02-05

CVE-2025-1025: Versions of the package cockpit-hq/cockpit before 2.4.1 are vulnerable to Arbitrary File Upload where an attacker can use different extension to bypass the…

PriorityP267high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EXPLOIT
EPSS
17.55%
96.8th percentile
Versions of the package cockpit-hq/cockpit before 2.4.1 are vulnerable to Arbitrary File Upload where an attacker can use different extension to bypass the upload filter.

Affected

5 ranges
VendorProductVersion rangeFixed in
amazontough>= 0 < 0.20.00.20.0
cockpit-hqcockpit< 2.4.12.4.1
cockpit-hqcockpit>= 0 < 2.4.12.4.1
msrcazl3_haproxy_2.9.11-3_on_azure_linux_3.0
msrccbl2_haproxy_2.4.24-1_on_cbl_mariner_2.0

Detection & IOCsextracted from sources · hover to see the quote

url/assets/upload
path/storage/uploads/
filename*.php / *.phtml / *.phar (uploaded via extension bypass)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cockpit Authenticated Arbitrary PHP File Upload (CVE-2025-1025)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:14; content:"/assets/upload"; fast_pattern; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|files|5b 5d 22 3b 20|filename|3d 22|"; pcre:"/^.*?\x2e(?:php|phtml|phar)/R"; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-1025.yaml; reference:cve,2025-1025; classtype:attempted-admin; sid:2060780; rev:1; metadata:affected_product Cockpit, attack_target Web_Server, tls_state plaintext, created_at 2025_03_11, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_03_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • POST to /assets/upload with a multipart body where the filename field contains a .php, .phtml, or .phar extension is the core exploit pattern — match on URI length (bsize:14) plus the Content-Disposition header structure.
  • After a successful upload, the attacker GETs the uploaded file from /storage/uploads/<path> to confirm remote code execution — monitor for GET requests to that path returning PHP-generated output.
  • The exploit uses the WebKit multipart form boundary pattern; the specific boundary string seen in PoC traffic can be used as a supplementary network signature.
  • The vulnerability affects cockpit-hq/cockpit versions before 2.4.1; any instance below that version accepting file uploads should be treated as potentially compromised.
  • ·The Snort/Suricata rule (sid:2060780) is scoped to plaintext HTTP only (tls_state plaintext); HTTPS-terminated deployments will not be covered by this rule without SSL inspection.
  • ·The rule requires authentication context ('Authenticated Arbitrary PHP File Upload') — the attacker must already hold valid credentials; unauthenticated upload attempts may follow a different traffic pattern.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv4.07.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat7.8HIGH
vendor_msrc6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.