4.5.1
CVE-2025-24019 describes an Arbitrary File Access vulnerability discovered in YesWiki, a PHP-based wiki system. This flaw allows authenticated users to delete files owned by the FastCGI Process Manager (FPM) user, potentially leading to significant data loss and website compromise. The vulnerability impacts versions of YesWiki up to and including 4.4.5, with a fix available in version 4.5.0.
The impact of CVE-2025-24019 is substantial. An attacker, once authenticated within the YesWiki system, can leverage the filemanager to delete any file accessible to the FPM user. This includes critical configuration files, website assets, and potentially even system files depending on the server's setup. In containerized environments, this could allow deletion of essential PHP files, effectively rendering the YesWiki instance unusable. The ability to arbitrarily remove content enables defacement of the website and significant disruption of service. The scope of deletion is not limited by filesystem boundaries, amplifying the potential damage.
CVE-2025-24019 was publicly disclosed on 2025-01-21. Currently, there are no known public proof-of-concept exploits. The EPSS score is pending evaluation. While no active exploitation campaigns have been reported, the ease of exploitation once authenticated raises concerns about potential abuse, particularly in environments with weak authentication practices.
Organizations using YesWiki, particularly those with containerized deployments or shared hosting environments, are at risk. Legacy configurations with weak authentication or overly permissive file permissions are especially vulnerable. Users relying on YesWiki for critical documentation or knowledge management should prioritize patching.
• php: Examine web server access logs for requests to the filemanager endpoint with suspicious parameters that could indicate file deletion attempts. Look for patterns like ?file=../../../../etc/passwd.
grep -i 'file=../../' /var/log/apache2/access.log• linux / server: Monitor FPM user processes for unexpected file activity. Use lsof to identify which processes have open files that are being deleted.
lsof -u www-data | grep deleted• generic web: Check response headers for unusual content types or error messages after attempting to access or delete files through the filemanager. Look for 403 Forbidden errors or unexpected file listings.
disclosure
エクスプロイト状況
EPSS
0.80% (74% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-24019 is to upgrade YesWiki to version 4.5.0 or later, which contains the fix. If an immediate upgrade is not feasible, consider restricting file access permissions for the FPM user to minimize the potential damage. Implement a Web Application Firewall (WAF) with rules to block suspicious file deletion requests targeting the filemanager endpoint. Regularly review and audit file permissions within the YesWiki installation to ensure least privilege access. After upgrading, verify the fix by attempting to delete a test file through the filemanager with an authenticated user account; the deletion should be denied.
Actualice YesWiki a la versión 4.5.0 o superior. Esta versión contiene una corrección para la vulnerabilidad de eliminación arbitraria de archivos. La actualización se puede realizar a través del panel de administración de YesWiki o descargando la última versión del sitio web oficial y reemplazando los archivos existentes.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-24019 is a vulnerability in YesWiki versions up to 4.4.5 that allows authenticated users to delete files owned by the FPM user, potentially leading to data loss and website defacement.
You are affected if you are running YesWiki version 4.4.5 or earlier. Upgrade to version 4.5.0 to resolve the vulnerability.
Upgrade YesWiki to version 4.5.0 or later. As a temporary workaround, restrict file access permissions for the FPM user.
No active exploitation campaigns have been reported, but the ease of exploitation warrants immediate attention and patching.
Refer to the YesWiki project's official website or security mailing list for the latest advisory and updates regarding CVE-2025-24019.