Platform
php
Component
core
Fixed in
2024.1.115
CVE-2025-52207 is a critical remote code execution (RCE) vulnerability discovered in MikoPBX, a VoIP phone system. This flaw allows attackers to upload malicious PHP scripts to the server, potentially gaining complete control over the system. The vulnerability affects versions 0 through 2024.1.114, and a patch is available in version 2024.1.115.
The impact of this vulnerability is severe. Successful exploitation allows an attacker to execute arbitrary code on the MikoPBX server. This could lead to complete system compromise, including data theft, modification, or deletion. Attackers could also leverage the compromised server to launch further attacks against internal network resources, effectively using the VoIP system as a pivot point. Given the sensitive nature of VoIP communications (potentially containing call recordings, voicemails, and user credentials), the potential for data exfiltration is significant. The ability to execute arbitrary code also opens the door to denial-of-service attacks and the installation of persistent backdoors.
CVE-2025-52207 was publicly disclosed on 2025-06-27. While no active exploitation campaigns have been publicly confirmed as of this writing, the ease of exploitation and the critical severity of the vulnerability make it a high-priority target for attackers. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
Exploit Status
EPSS
5.80% (90% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade MikoPBX to version 2024.1.115 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict file upload permissions within the PBXCoreREST application to prevent unauthorized uploads. Implement strict input validation on all file uploads to ensure that only allowed file types are processed. Consider using a Web Application Firewall (WAF) to block suspicious file upload attempts. Monitor system logs for unusual file activity, particularly the creation of PHP files in unexpected directories.
Update MikoPBX to a version later than 2024.1.114. This will correct the vulnerability that allows PHP script uploading to arbitrary directories. See commit 3ee785429d3f1b33c9ab387ef4221127c9b8c5f3 in the MikoPBX repository for more details on the fix.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-52207 is a critical remote code execution vulnerability in MikoPBX VoIP phone systems, allowing attackers to upload and execute PHP scripts.
You are affected if you are running MikoPBX versions 0 through 2024.1.114. Check your version and upgrade immediately.
Upgrade MikoPBX to version 2024.1.115 or later. As a temporary workaround, restrict file upload permissions and implement strict input validation.
While no active exploitation campaigns have been confirmed, the vulnerability's severity and ease of exploitation make it a high-priority target.
Refer to the MikoPBX website and security advisories for the latest information and updates regarding CVE-2025-52207.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.