Cyber Posture

CVE-2025-50881

High

Published: 16 March 2026

Published
16 March 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0025 48.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

The `flow/admin/moniteur.php` script in Use It Flow administration website before 10.0.0 is vulnerable to Remote Code Execution. When handling GET requests, the script takes user-supplied input from the `action` URL parameter, performs insufficient validation, and incorporates this input into a…

more

string that is subsequently executed by the `eval()` function. Although a `method_exists()` check is performed, it only validates the part of the user input *before* the first parenthesis `(`, allowing an attacker to append arbitrary PHP code after a valid method call structure. Successful exploitation allows an unauthenticated or trivially authenticated attacker to execute arbitrary PHP code on the server with the privileges of the web server process.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mandates validation of user-supplied 'action' URL parameter inputs to block insufficiently sanitized data from reaching the eval() function and enabling code injection.

SI-2 Flaw Remediation good match
prevent

Requires identification, reporting, and correction of the specific code injection flaw in flow/admin/moniteur.php via patching to version 10.0.0 or later.

SI-9 Information Input Restrictions good match
prevent

Restricts the 'action' parameter to only valid method names or predefined values, preventing attackers from appending arbitrary PHP code after the partial method_exists() check.

Security SummaryAI

CVE-2025-50881 is a remote code execution vulnerability in the `flow/admin/moniteur.php` script of the Use It Flow administration website versions before 10.0.0. The flaw arises when handling GET requests: the script accepts user-supplied input from the `action` URL parameter without sufficient validation, incorporates it into a string executed via PHP's `eval()` function, and performs a `method_exists()` check that only validates the input portion before the first parenthesis `(`. This allows attackers to append arbitrary PHP code after a valid method call structure. The vulnerability is rated 8.8 on the CVSS 3.1 scale (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-94 (Code Injection).

An attacker with low privileges (PR:L), such as an unauthenticated user or one with trivial authentication, can exploit this over the network with no user interaction required. By crafting a malicious `action` parameter that passes the partial validation but injects executable PHP code, they achieve arbitrary code execution on the server under the privileges of the web server process. This grants high confidentiality, integrity, and availability impacts, potentially leading to full server compromise.

Mitigation details are available in advisories referenced at http://advanced.com, http://use.com, and https://github.com/0xdeadbit/CVE-2025-50881, which security practitioners should review for patching instructions and workarounds. The CVE was published on 2026-03-16.

Details

CWE(s)
CWE-94

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability allows remote code execution via a crafted GET request to a public-facing web application endpoint, directly mapping to Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References