CVE-2019-25630

HighPublic PoC

Published: 24 March 2026

Published

24 March 2026

Modified

26 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0077 73.6th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

PhreeBooks ERP 5.2.3 contains an arbitrary file upload vulnerability in the Image Manager component that allows authenticated attackers to upload malicious files by submitting requests to the image upload endpoint. Attackers can upload PHP files through the imgFile parameter to…

the bizuno/image/manager endpoint and execute them via the bizunoFS.php script for remote code execution.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly enforces validation of the imgFile parameter in the Image Manager upload endpoint to block unrestricted uploads of dangerous PHP files.

SI-2 Flaw Remediation good match

prevent

Remediates the specific arbitrary file upload flaw in PhreeBooks ERP 5.2.3 by identifying, patching, and testing the vulnerable Image Manager component.

SI-3 Malicious Code Protection partial match

preventdetect

Scans uploaded files and monitors for malicious code execution via bizunoFS.php to mitigate remote code execution from exploited uploads.

Security SummaryAI

PhreeBooks ERP version 5.2.3 suffers from an arbitrary file upload vulnerability in its Image Manager component. The flaw allows authenticated attackers to upload malicious files by submitting requests to the image upload endpoint at bizuno/image/manager via the imgFile parameter. Uploaded PHP files can then be executed through the bizunoFS.php script, enabling remote code execution. This issue is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Authenticated attackers with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation grants high-impact remote code execution, potentially allowing full server compromise, including data exfiltration, modification, or denial of service.

Advisories and references, including those from Vulncheck detailing the PhreeBooks ERP arbitrary file upload via Image Manager, highlight the issue but do not specify patches in the provided details. A proof-of-concept exploit is publicly available on Exploit-DB (exploit 46644), and the latest PhreeBooks files can be downloaded from SourceForge, with the vendor site at phreesoft.com.

A proof-of-concept exploit demonstrates practical exploitability, underscoring the risk for unpatched PhreeBooks ERP 5.2.3 deployments. The CVE was published on 2026-03-24 despite its 2019 designation.

Details

CWE(s): CWE-434

Affected Products

phreesoft

phreebookserp

5.2.3

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Arbitrary file upload vulnerability in a web-based ERP application's Image Manager enables exploitation of public-facing applications (T1190) and execution of uploaded PHP files as web shells (T1100) for remote code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://sourceforge.net/projects/phreebooks/files/latest/download
Product · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/46644
Exploit, Third Party Advisory, VDB Entry · disclosure@vulncheck.com
https://www.phreesoft.com/
Product · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/phreebooks-erp-arbitrary-file-upload-via-image-manager
Third Party Advisory · disclosure@vulncheck.com