CVE-2025-70364: RCE in Kiamo Photo Management Software
Platform
php
Component
kiamo
Fixed in
8.4
CVE-2025-70364 describes a Remote Code Execution (RCE) vulnerability discovered in Kiamo photo management software versions before 8.4. This vulnerability allows authenticated administrative users to execute arbitrary PHP code on the server, potentially leading to complete system compromise. While the vendor considers this a historical feature, restrictions on PHP functions were added in version 8.4 to address the risk. Upgrade to version 8.4 is recommended.
Impact and Attack Scenarios
Successful exploitation of CVE-2025-70364 grants an attacker complete control over the server hosting the Kiamo instance. An authenticated administrator could execute arbitrary code, leading to data exfiltration, modification, or deletion of sensitive photo data and user information. The attacker could also leverage this access to move laterally within the network if the Kiamo server has access to other systems. The blast radius extends to any data stored and processed by the Kiamo application and any systems accessible from the compromised server.
Exploitation Context
The vulnerability's exploitation context is currently unclear. No public Proof-of-Concept (POC) code has been released. The vendor's description suggests the feature was intentional, which might reduce the likelihood of active exploitation. The CVE was published on 2026-04-09, and its severity is pending evaluation by NVD and CISA.
Threat Intelligence
Exploit Status
EPSS
0.05% (17% percentile)
Affected Software
Timeline
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2025-70364 is to upgrade Kiamo to version 8.4 or later, which includes restrictions on PHP functions that enable the arbitrary code execution. If upgrading is not immediately feasible, consider implementing strict access controls to limit the number of users with administrator privileges. Review and audit existing administrator accounts. While not a direct fix, a Web Application Firewall (WAF) configured to detect and block suspicious PHP code execution attempts could provide an additional layer of defense. After upgrading, verify the fix by attempting to execute a simple PHP command through the administrative interface; it should be blocked.
How to fix
Actualice Kiamo a la versión 8.4 o superior para mitigar la vulnerabilidad. Esta versión introduce restricciones en algunas funciones PHP, limitando la capacidad de los atacantes para ejecutar código arbitrario.
Frequently asked questions
What is CVE-2025-70364 — RCE in Kiamo Photo Management Software?
CVE-2025-70364 is a Remote Code Execution vulnerability in Kiamo versions before 8.4, allowing authenticated administrators to execute arbitrary PHP code. Severity is pending evaluation.
Am I affected by CVE-2025-70364 in Kiamo Photo Management Software?
You are affected if you are using Kiamo versions prior to 8.4 and have administrator accounts. Check your Kiamo version using /usr/bin/kiamo --version.
How do I fix CVE-2025-70364 in Kiamo Photo Management Software?
Upgrade Kiamo to version 8.4 or later to mitigate the vulnerability. Implement strict access controls for administrator accounts as an interim measure.
Is CVE-2025-70364 being actively exploited?
There is no public evidence of active exploitation at this time, but the vulnerability's severity warrants immediate attention.
Where can I find the official Kiamo advisory for CVE-2025-70364?
Refer to the Kiamo project's official website and release notes for the latest advisory regarding CVE-2025-70364.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...