CVE-2025-66802

CriticalPublic PoC

Published: 12 January 2026

Published

12 January 2026

Modified

22 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0052 66.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Sourcecodester Covid-19 Contact Tracing System 1.0 is vulnerable to RCE (Remote Code Execution). The application receives a reverse shell (php) into imagem of the user enabling RCE.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 enforces information input validation at upload points to check content-type, structure, and encoding, directly preventing acceptance of PHP reverse shells disguised as images.

SI-3 Malicious Code Protection good match

preventdetect

SI-3 requires malicious code protection mechanisms at system entry points like file uploads to detect and eradicate reverse shell payloads embedded in images.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates timely identification, reporting, and correction of flaws like unrestricted file uploads, remediating the root cause of this RCE vulnerability.

Security SummaryAI

CVE-2025-66802 is a critical remote code execution (RCE) vulnerability affecting Sourcecodester Covid-19 Contact Tracing System 1.0. The flaw allows attackers to upload a PHP reverse shell disguised within a user image, enabling arbitrary code execution on the server. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).

An unauthenticated attacker can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By submitting a malicious image containing a PHP reverse shell through the application's upload functionality, the attacker gains full RCE, potentially compromising confidentiality, integrity, and availability of the system, such as executing commands, stealing data, or deploying malware.

Advisories and additional details are available in the provided references, including a Feedly entry at https://feedly.com/cve/CVE-2022-2746 and a GitHub repository at https://github.com/mtgsjr/CVE-2025-66802, which likely contain proof-of-concept exploits or further analysis. No specific patch or mitigation steps are detailed in the core CVE information.

Details

CWE(s): CWE-434

Affected Products

covid-19 contact tracing system project

covid-19 contact tracing system

1.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

The vulnerability enables exploitation of a public-facing web application (T1190) via unrestricted file upload, allowing deployment of a PHP reverse shell (T1100) for remote code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://feedly.com/cve/CVE-2022-2746
Not Applicable · cve@mitre.org
https://github.com/mtgsjr/CVE-2025-66802
Exploit, Mitigation, Third Party Advisory · cve@mitre.org