CVE-2019-25471

CriticalPublic PoC

Published: 11 March 2026

Published

11 March 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0084 74.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

FileThingie 2.5.7 contains an arbitrary file upload vulnerability that allows attackers to upload malicious files by sending ZIP archives through the ft2.php endpoint. Attackers can upload ZIP files containing PHP shells, use the unzip functionality to extract them into accessible…

directories, and execute arbitrary commands through the extracted PHP files.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the arbitrary file upload flaw in FileThingie 2.5.7's ft2.php endpoint to prevent exploitation via malicious ZIP archives.

SI-10 Information Input Validation good match

prevent

Validates uploaded ZIP archives and their contents at the ft2.php endpoint to block malicious PHP shells from being processed and extracted.

SI-9 Information Input Restrictions good match

prevent

Restricts file uploads at the ft2.php endpoint to safe, non-executable types excluding ZIP archives and PHP files containing potential shells.

Security SummaryAI

CVE-2019-25471 is an arbitrary file upload vulnerability in FileThingie 2.5.7, affecting the ft2.php endpoint. The flaw allows attackers to upload malicious files by sending ZIP archives, which the application processes using its unzip functionality to extract contents into accessible directories. This enables the inclusion of PHP shells or other malicious payloads within the archives.

The vulnerability can be exploited by unauthenticated remote attackers over the network with low attack complexity and no user interaction required, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and mapping to CWE-22. Successful exploitation allows attackers to execute arbitrary commands through the extracted PHP files, achieving high impacts on confidentiality, integrity, and availability via remote code execution.

Advisories and related resources, including the Vulncheck advisory at https://www.vulncheck.com/advisories/filethingie-arbitrary-file-upload-via-ft2-php, Exploit-DB entry at https://www.exploit-db.com/exploits/47349, and FileThingie source archive at https://github.com/leefish/filethingie/archive/master.zip, provide further details on exploitation and potential mitigation steps.

Details

CWE(s): CWE-22

Affected Products

leefish

file thingie

≤ 2.5.7

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Arbitrary file upload in public-facing web application (T1190) enables uploading and extracting PHP web shells (T1100) for remote code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/leefish/filethingie/archive/master.zip
Product · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/47349
Exploit, Third Party Advisory, VDB Entry · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/filethingie-arbitrary-file-upload-via-ft2-php
Third Party Advisory · disclosure@vulncheck.com