CVE-2025-63994

CriticalPublic PoC

Published: 18 November 2025

Published

18 November 2025

Modified

31 December 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0029 51.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

An arbitrary file upload vulnerability in the /php/UploadHandler.php component of RichFilemanager v2.7.6 allows attackers to execute arbitrary code via uploading a crafted file.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the specific flaw in /php/UploadHandler.php by identifying, prioritizing, and correcting the arbitrary file upload vulnerability through patching or code fixes.

SI-10 Information Input Validation good match

prevent

Requires validation of uploaded files for type, content, and dangerous characteristics to block crafted files that enable arbitrary code execution.

SI-3 Malicious Code Protection good match

preventdetect

Deploys malicious code protection at system entry points to scan and eradicate uploaded crafted files before they can execute arbitrary code.

Security SummaryAI

CVE-2025-63994, published on 2025-11-18, is an arbitrary file upload vulnerability in the /php/UploadHandler.php component of RichFilemanager version 2.7.6. The flaw enables attackers to execute arbitrary code by uploading a crafted file and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type). It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and high impact potential.

Remote attackers without authentication or privileges can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation allows uploading a malicious file, leading to arbitrary code execution on the affected server, potentially resulting in full compromise with high impacts on confidentiality, integrity, and availability.

Advisories and further details are available in the GitHub issue at https://github.com/psolom/RichFilemanager/issues/412.

Details

CWE(s): CWE-434

Affected Products

psolom

richfilemanager

2.7.6

MITRE ATT&CK Enterprise TechniquesAI

T1105 Ingress Tool Transfer Command And Control

Adversaries may transfer tools or other files from an external system into a compromised environment.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Unauthenticated arbitrary file upload vulnerability in public-facing web component (/php/UploadHandler.php) to web-accessible directory enables ingress tool transfer (T1105), exploitation of public-facing application (T1190), and web shell deployment/execution (T1505.003) for RCE.

References

https://github.com/psolom/RichFilemanager/issues/412
Exploit, Issue Tracking, Third Party Advisory · cve@mitre.org