Platform
php
Component
phpfilemanager
Fixed in
1.7.9
CVE-2019-25632 describes a Local File Inclusion (LFI) vulnerability discovered in phpFileManager versions 1.7.8. This flaw allows unauthenticated attackers to read sensitive files on the server by manipulating request parameters. The vulnerability impacts phpFileManager 1.7.8 and requires no authentication for exploitation. A fix is available through upgrading to a patched version.
The primary impact of CVE-2019-25632 is the potential for unauthorized access to sensitive files on the server. An attacker can exploit this vulnerability by crafting malicious GET requests to index.php, manipulating the action, fmcurrentdir, and filename parameters. Successful exploitation allows the attacker to read arbitrary files, including system configuration files like /etc/passwd, potentially exposing user credentials and other sensitive information. While the vulnerability is local to the server, the ability to read system files represents a significant security risk, potentially leading to further compromise of the system.
CVE-2019-25632 was published on 2026-03-24. There is no indication of active exploitation or inclusion in the CISA KEV catalog. Public proof-of-concept (PoC) code is likely available given the simplicity of the LFI vulnerability, though no specific references were found in the provided data. The vulnerability's ease of exploitation makes it a potential target for automated scanning and exploitation attempts.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2019-25632 is to upgrade phpFileManager to a patched version. Since no specific patched version is provided, it's crucial to check the phpFileManager project's website or repository for the latest release. As a temporary workaround, restrict access to index.php using a web application firewall (WAF) or proxy server, blocking requests with suspicious parameter values. Carefully review and sanitize all user-supplied input to prevent malicious code injection. Regularly scan the system for unauthorized file modifications.
Update phpFileManager to a version later than 1.7.8 or apply a patch that mitigates the local file inclusion vulnerability. It is recommended to validate and sanitize user inputs to prevent manipulation of the 'action', 'fm_current_dir', and 'filename' parameters.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-25632 is a Local File Inclusion vulnerability affecting phpFileManager version 1.7.8, allowing attackers to read arbitrary files on the server.
If you are running phpFileManager version 1.7.8, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade phpFileManager to a patched version. Check the project's website or repository for the latest release.
While there's no confirmed active exploitation, the vulnerability's simplicity makes it a potential target for automated scanning and exploitation.
Refer to the phpFileManager project's website or repository for the official advisory and release notes regarding this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.