cbcvebase.
CVE-2025-52207
published 2025-06-27

CVE-2025-52207: PBXCoreREST/Controllers/Files/PostController.php in MikoPBX through 2024.1.114 allows uploading a PHP script to an arbitrary directory.

PriorityP180critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAL
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.47%
70.4th percentile
PBXCoreREST/Controllers/Files/PostController.php in MikoPBX through 2024.1.114 allows uploading a PHP script to an arbitrary directory.

Affected

1 ranges
VendorProductVersion rangeFixed in
mikomikopbx<= 2024.1.114

Detection & IOCsextracted from sources · hover to see the quote

path/pbxcore/api/files/uploadFile
path/admin-cabinet/session/start
path/pbxcore/files/cache/
pathPBXCoreREST/Controllers/Files/PostController.php
path../files_cache/
other{"jsonapi":{"version":"1.0"},"result":true,"data":
  • Detect unauthenticated or authenticated POST requests to /pbxcore/api/files/uploadFile with a multipart body containing a resumableIdentifier value using path traversal (e.g., '../files_cache/') and a .php filename in resumableFilename.
  • Alert on HTTP 200 responses from /pbxcore/api/files/uploadFile where the JSON body contains '"result":true' alongside a 'data.filename' field, indicating a successful file upload.
  • Monitor for GET requests to /pbxcore/files/cache/ paths ending in .php, which would indicate an attacker attempting to execute an uploaded PHP webshell.
  • Use Shodan/FOFA queries to identify exposed MikoPBX instances: favicon hash 8309143, product 'mikopbx', or title 'MikoPBX'.
  • The exploit flow requires prior authentication via POST to /admin-cabinet/session/start; correlate login events followed immediately by upload attempts to /pbxcore/api/files/uploadFile.
  • ·The vulnerability is authenticated — an attacker must first obtain valid credentials before exploiting the file upload endpoint.
  • ·The path traversal is achieved via the resumableIdentifier field (e.g., '../files_cache/<name>'), allowing upload to arbitrary directories outside the intended upload path.
  • ·Affects all MikoPBX versions through 2024.1.114; the fix is tracked in GitHub commit 3ee785429d3f1b33c9ab387ef4221127c9b8c5f3.

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
vulncheck9.9CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.