CVE-2025-67164
Published: 17 December 2025
Description
An authenticated arbitrary file upload vulnerability in the /storage/poc.php component of Pagekit CMS v1.0.18 allows attackers to execute arbitrary code via uploading a crafted PHP file.
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the arbitrary file upload vulnerability by validating uploaded file types, extensions, and content to block crafted PHP files.
Scans uploaded files in real-time for malicious code, preventing storage and execution of crafted PHP shells that enable arbitrary code execution.
Restricts file upload inputs to approved types and formats, limiting the ability to upload executable PHP files even for authenticated users.
Security SummaryAI
CVE-2025-67164 is an authenticated arbitrary file upload vulnerability in the /storage/poc.php component of Pagekit CMS version 1.0.18. Published on 2025-12-17, it enables attackers to execute arbitrary code by uploading a crafted PHP file, with associated weakness enumerations including CWE-78, CWE-94, and CWE-434. The vulnerability carries a CVSS v3.1 base score of 9.9, indicating critical severity.
An attacker with low privileges (PR:L), such as an authenticated user, can exploit this remotely (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation changes scope (S:C) and results in high impacts to confidentiality (C:H), integrity (I:H), and availability (A:H), potentially allowing full remote code execution on the server.
A proof-of-concept exploit is documented in the vulnerability research repository at https://github.com/mbiesiad/vulnerability-research/tree/main/CVE-2025-67164. No official advisories or patch details are specified in the available information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authenticated arbitrary file upload in a public-facing CMS, enabling exploitation of public-facing applications (T1190) to deploy and execute a PHP web shell (T1100).