CVE-2025-69200
published 2025-12-29CVE-2025-69200: phpMyFAQ is an open source FAQ web application. In versions prior to 4.0.16, an unauthenticated remote attacker can trigger generation of a configuration…
PriorityP181high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.00%
78.4th percentile
phpMyFAQ is an open source FAQ web application. In versions prior to 4.0.16, an unauthenticated remote attacker can trigger generation of a configuration backup ZIP via `POST /api/setup/backup` and then download the generated ZIP from a web-accessible location. The ZIP contains sensitive configuration files (e.g., `database.php` with database credentials), leading to high-impact information disclosure and potential follow-on compromise. Version 4.0.16 fixes the issue.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| phpmyfaq | phpmyfaq | < 4.0.16 | 4.0.16 |
| phpmyfaq | phpmyfaq | — | — |
| thorsten | phpmyfaq | < 4.0.16 | 4.0.16 |
| thorsten | phpmyfaq | >= 0 < 4.0.16 | 4.0.16 |
| thorsten | phpmyfaq | 4.1.0-alpha – 4.1.0-beta.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
id: CVE-2025-69200
info:
name: phpMyFAQ - Configuration Backup Disclosure
author: Louay-075
severity: high
http:
- raw:
- |
POST /api/setup/backup HTTP/1.1
Host: {{Hostname}}
Content-Type: text/plain
4.1.0-RC
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"backupFile":"'
- '.zip'
condition: and
- type: word
words:
- "error"
- "forbidden"
negative: true
- type: word
part: content_type
words:
- application/json- →Detect unauthenticated POST requests to /api/setup/backup; a JSON response containing 'backupFile' and '.zip' indicates successful backup generation. ↗
- →The exploit sends a plain-text body of '4.1.0-RC' with Content-Type: text/plain to POST /api/setup/backup with no authentication headers. ↗
- →Use Shodan query 'http.title:"phpMyFAQ"' to identify exposed phpMyFAQ instances for proactive scanning. ↗
- →The generated backup ZIP is placed in a web-accessible location and can be downloaded directly; monitor for .zip file downloads from the phpMyFAQ web root. ↗
- →Extract the backup file URL from the JSON response field '.backupFile' to locate the downloadable ZIP containing database.php credentials. ↗
- ·The vulnerability affects phpMyFAQ versions prior to 4.0.16; the Nuclei template description incorrectly states '<= 4.0.16' but the fix is included in 4.0.16. ↗
- ·No authentication is required to exploit this endpoint; network-level controls blocking unauthenticated access to /api/setup/backup are a viable mitigation until patching. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
phpMyFAQ has unauthenticated config backup download via /api/setup/backup
osv·2025-12-30
CVE-2025-69200 [HIGH] phpMyFAQ has unauthenticated config backup download via /api/setup/backup
phpMyFAQ has unauthenticated config backup download via /api/setup/backup
### Summary
An unauthenticated remote attacker can trigger generation of a configuration backup ZIP via `POST /api/setup/backup` and then download the generated ZIP from a web-accessible location. The ZIP contains sensitive configuration files (e.g., `database.php` with database credentials), leading to high-impact information disclosure and potential follow-on compromise.
### Details
The endpoint `/api/setup/backup` is reachable via default rewrite rules and does not enforce authentication/authorization or API token verification. When called with any non-empty body (used as an “installed version” string), the server creates a ZIP archive inside the configuration directory and returns a direct URL to the generated
GHSA
phpMyFAQ has unauthenticated config backup download via /api/setup/backup
ghsa·2025-12-30
CVE-2025-69200 [HIGH] CWE-202 phpMyFAQ has unauthenticated config backup download via /api/setup/backup
phpMyFAQ has unauthenticated config backup download via /api/setup/backup
### Summary
An unauthenticated remote attacker can trigger generation of a configuration backup ZIP via `POST /api/setup/backup` and then download the generated ZIP from a web-accessible location. The ZIP contains sensitive configuration files (e.g., `database.php` with database credentials), leading to high-impact information disclosure and potential follow-on compromise.
### Details
The endpoint `/api/setup/backup` is reachable via default rewrite rules and does not enforce authentication/authorization or API token verification. When called with any non-empty body (used as an “installed version” string), the server creates a ZIP archive inside the configuration directory and returns a direct URL to the generated
VulnCheck
phpmyfaq phpmyfaq Exposure of Sensitive Information Through Data Queries
vulncheck·2025·CVSS 7.5
CVE-2025-69200 [HIGH] phpmyfaq phpmyfaq Exposure of Sensitive Information Through Data Queries
phpmyfaq phpmyfaq Exposure of Sensitive Information Through Data Queries
phpMyFAQ is an open source FAQ web application. In versions prior to 4.0.16, an unauthenticated remote attacker can trigger generation of a configuration backup ZIP via `POST /api/setup/backup` and then download the generated ZIP from a web-accessible location. The ZIP contains sensitive configuration files (e.g., `database.php` with database credentials), leading to high-impact information disclosure and potential follow-on compromise. Version 4.0.16 fixes the issue.
Affected: phpmyfaq phpmyfaq
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statis
No detection rules found.
Nuclei
phpMyFAQ - Configuration Backup Disclosure
nuclei·CVSS 7.5
CVE-2025-69200 [HIGH] phpMyFAQ - Configuration Backup Disclosure
phpMyFAQ - Configuration Backup Disclosure
phpMyFAQ <= 4.0.16 contains an information disclosure vulnerability caused by unauthenticated access to configuration backup ZIP generation and download, letting remote attackers access sensitive configuration files, exploit requires no authentication.
Template:
id: CVE-2025-69200
info:
name: phpMyFAQ - Configuration Backup Disclosure
author: Louay-075
severity: high
description: |
phpMyFAQ <= 4.0.16 contains an information disclosure vulnerability caused by unauthenticated access to configuration backup ZIP generation and download, letting remote attackers access sensitive configuration files, exploit requires no authentication.
impact: |
Remote attackers can access sensitive configuration files, exposing database credentials and enabling fur
2025-12-29
Published
Exploited in the wild