cbcvebase.
CVE-2025-57642
published 2025-09-10

CVE-2025-57642: A Shell Upload vulnerability in Tourism Management System 2.0 allows an attacker to upload and execute arbitrary PHP shell scripts on the server, leading to…

PriorityP355high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
1.48%
70.7th percentile
A Shell Upload vulnerability in Tourism Management System 2.0 allows an attacker to upload and execute arbitrary PHP shell scripts on the server, leading to remote code execution and unauthorized access to the system. This can result in the compromise of sensitive data and system functionality.

Affected

1 ranges
VendorProductVersion rangeFixed in
sohamjuhintourism_management_system

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://target.com/index.php?user/login&link=
path/index.php?user/login&link=
  • Monitor HTTP requests to /index.php with query parameters containing 'user/login' combined with an external 'link=' parameter value pointing to an off-site URL, which indicates exploitation of the open redirect / shell upload chain.
  • Detect file upload attempts of PHP shell scripts to the Tourism Management System 2.0 application; successful upload leads to remote code execution.
  • ·The exploit was tested on a specific environment; results may vary on other configurations.
  • ·The vulnerability is specific to Tourism Management System version 2.0; other versions are not confirmed affected.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.