CVE-2025-0213
Published: 04 January 2025
Description
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Security Summary
CVE-2025-0213 is a critical vulnerability in Campcodes Project Management System 1.0, affecting unknown code in the file /forms/update_forms.php?action=change_pic2&id=4. The issue stems from manipulation of the 'file' argument, enabling unrestricted file upload (CWE-284, CWE-434). It was published on 2025-01-04 with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
An authenticated attacker with low privileges (PR:L) can exploit this vulnerability remotely without user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability. A publicly disclosed proof-of-concept on GitHub demonstrates remote code execution via arbitrary file upload.
VulDB advisories (vuldb.com/?ctiid.290158, vuldb.com/?id.290158, vuldb.com/?submit.474200) document the vulnerability and its submission details. The vendor site is at www.campcodes.com/, but no specific patches or mitigations are detailed in the provided references.
The exploit has been disclosed to the public and may be used, as noted in the CVE description.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability allows unrestricted arbitrary file upload in a public-facing web application (/forms/update_forms.php), enabling remote exploitation of public-facing applications (T1190) and facilitating the deployment of web shells for remote code execution (T1505.003), as demonstrated in the RCE POC.