CRITICAL🇵🇱 Wersja polska

CVE-2025-52207

CVSS 9.9v3.1pub. 2025-06-27upd. 2026-04-15

PBXCoreREST/Controllers/Files/PostController.php in MikoPBX through 2024.1.114 allows uploading a PHP script to an arbitrary directory.

🤖 AI Analysis
How it works

The file PBXCoreREST/Controllers/Files/PostController.php does not properly verify the target path during file uploads, which is a classic example of a path traversal vulnerability (CWE-23). An attacker with basic privileges (PR:L) can upload a PHP file with a crafted path, placing it outside the allowed directory – including in locations accessible by the web server. After uploading the file, it is possible to execute it remotely through a browser or HTTP request, resulting in code execution on the server side.

Impact

An attacker can gain the ability to execute code remotely (RCE) on the server hosting MikoPBX, and consequently achieve full system takeover, steal configuration data, and eavesdrop on VoIP communication. The vulnerability scope is changed (S:C), which means it is possible to affect beyond the direct application component.

Mitigation & patch

MikoPBX should be updated to a version containing the fix introduced in commit 3ee785429d3f1b33c9ab387ef4221127c9b8c5f3 available in the project GitHub repository. Until the patch is deployed, it is recommended to restrict access to the REST API interface exclusively to trusted networks and monitor server directories for unexpected PHP files.

Who is affected

MikoPBX in versions up to and including 2024.1.114.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References