CVE-2025-52207
published 2025-06-27CVE-2025-52207: PBXCoreREST/Controllers/Files/PostController.php in MikoPBX through 2024.1.114 allows uploading a PHP script to an arbitrary directory.
PriorityP180critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAL
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.47%
70.4th percentile
PBXCoreREST/Controllers/Files/PostController.php in MikoPBX through 2024.1.114 allows uploading a PHP script to an arbitrary directory.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| miko | mikopbx | <= 2024.1.114 | — |
Detection & IOCsextracted from sources · hover to see the quote
path/pbxcore/api/files/uploadFile
path/admin-cabinet/session/start
path/pbxcore/files/cache/
path../files_cache/
other{"jsonapi":{"version":"1.0"},"result":true,"data":
- →Detect unauthenticated or authenticated POST requests to /pbxcore/api/files/uploadFile with a multipart body containing a resumableIdentifier value using path traversal (e.g., '../files_cache/') and a .php filename in resumableFilename.
- →Alert on HTTP 200 responses from /pbxcore/api/files/uploadFile where the JSON body contains '"result":true' alongside a 'data.filename' field, indicating a successful file upload.
- →Monitor for GET requests to /pbxcore/files/cache/ paths ending in .php, which would indicate an attacker attempting to execute an uploaded PHP webshell.
- →Use Shodan/FOFA queries to identify exposed MikoPBX instances: favicon hash 8309143, product 'mikopbx', or title 'MikoPBX'.
- →The exploit flow requires prior authentication via POST to /admin-cabinet/session/start; correlate login events followed immediately by upload attempts to /pbxcore/api/files/uploadFile.
- ·The vulnerability is authenticated — an attacker must first obtain valid credentials before exploiting the file upload endpoint.
- ·The path traversal is achieved via the resumableIdentifier field (e.g., '../files_cache/<name>'), allowing upload to arbitrary directories outside the intended upload path.
- ·Affects all MikoPBX versions through 2024.1.114; the fix is tracked in GitHub commit 3ee785429d3f1b33c9ab387ef4221127c9b8c5f3.
CVSS provenance
nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
vulncheck9.9CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6578-p64m-wjxr: PBXCoreREST/Controllers/Files/PostController
ghsa_unreviewed·2025-06-27
CVE-2025-52207 [CRITICAL] CWE-23 GHSA-6578-p64m-wjxr: PBXCoreREST/Controllers/Files/PostController
PBXCoreREST/Controllers/Files/PostController.php in MikoPBX through 2024.1.114 allows uploading a PHP script to an arbitrary directory.
VulnCheck
Relative Path Traversal
vulncheck·2025·CVSS 9.9
CVE-2025-52207 [CRITICAL] Relative Path Traversal
Relative Path Traversal
PBXCoreREST/Controllers/Files/PostController.php in MikoPBX through 2024.1.114 allows uploading a PHP script to an arbitrary directory.
Affected: MIKO MikoPBX
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2025-52207
No detection rules found.
Nuclei
MikoPBX - Unrestricted File Upload
nuclei·CVSS 9.9
CVE-2025-52207 [CRITICAL] MikoPBX - Unrestricted File Upload
MikoPBX - Unrestricted File Upload
MikoPBX through 2024.1.114 contains an authenticated unrestricted file upload vulnerability caused by allowing PHP script uploads in PBXCoreREST/Controllers/Files/PostController.php.
Template:
id: CVE-2025-52207
info:
name: MikoPBX - Unrestricted File Upload
author: darses
severity: critical
description: |
MikoPBX through 2024.1.114 contains an authenticated unrestricted file upload vulnerability caused by allowing PHP script uploads in PBXCoreREST/Controllers/Files/PostController.php.
impact: |
Authenticated attackers can upload and execute arbitrary PHP scripts, leading to remote code execution and full system compromise.
remediation: |
Update to the latest version beyond 2024.1.114.
reference:
- https://github.com/mikopbx/Core/commit/3ee785429d3f1b
No writeups or analysis indexed.
2025-06-27
Published
Exploited in the wild