Platform
php
Component
filethingie
Opgelost in
2.5.8
CVE-2019-25471 describes a critical arbitrary file access vulnerability discovered in FileThingie. This flaw allows attackers to upload and execute malicious files, potentially leading to complete system compromise. The vulnerability impacts FileThingie versions 2.5.7 through 2.5.7. A patch is available in version 2.5.8.
The primary impact of CVE-2019-25471 is the ability for an attacker to gain arbitrary code execution on a system running FileThingie. By crafting a malicious ZIP archive containing PHP shell scripts and uploading it through the ft2.php endpoint, an attacker can leverage FileThingie's unzip functionality to extract the shell into a publicly accessible directory. Subsequently, the attacker can execute arbitrary commands on the server, potentially leading to data theft, system takeover, or denial of service. The blast radius extends to any sensitive data stored or processed by the FileThingie application, and the attacker could potentially pivot to other systems on the network.
CVE-2019-25471 is a high-severity vulnerability with a CVSS score of 9.8. Public proof-of-concept exploits are likely to emerge given the ease of exploitation. While no active campaigns have been publicly confirmed, the vulnerability's simplicity makes it an attractive target for opportunistic attackers. The vulnerability was published on 2026-03-11.
Web applications utilizing FileThingie version 2.5.7 are at significant risk. This includes applications deployed on shared hosting environments where file upload functionality is commonly used. Systems with weak input validation or inadequate WAF protection are particularly vulnerable.
• php: Examine web server access logs for requests to ft2.php containing ZIP files. Look for unusual file extensions or filenames within the uploaded ZIP archives.
grep 'ft2.php' access.log | grep '.zip'• php: Search for newly created PHP files in publicly accessible directories that may contain malicious code.
find /var/www/html -name '*.php' -type f -mtime -1• generic web: Monitor for unexpected PHP process executions on the server.
ps aux | grep phpdisclosure
Exploit Status
EPSS
0.20% (42% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2019-25471 is to immediately upgrade FileThingie to version 2.5.8 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing temporary workarounds. These may include restricting file uploads to specific file types, implementing strict input validation on the ft2.php endpoint to prevent ZIP uploads, and configuring a Web Application Firewall (WAF) to block requests containing malicious ZIP files. Monitor access logs for suspicious file upload attempts. After upgrading, confirm the fix by attempting to upload a test ZIP file containing a harmless PHP script and verifying that the upload fails or is properly sanitized.
Actualice FileThingie a la versión 2.5.8 o posterior para mitigar la vulnerabilidad de carga arbitraria de archivos. Verifique y restrinja los tipos de archivos permitidos para la carga a través del endpoint ft2.php. Implemente una validación robusta de los archivos cargados para prevenir la ejecución de código malicioso.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2019-25471 is a critical vulnerability in FileThingie versions 2.5.7–2.5.7 that allows attackers to upload and execute malicious files, potentially leading to system compromise.
If you are using FileThingie version 2.5.7, you are vulnerable to this attack. Upgrade to version 2.5.8 or later to mitigate the risk.
The recommended fix is to upgrade FileThingie to version 2.5.8 or later. As a temporary workaround, restrict file uploads and implement WAF rules.
While no active campaigns have been confirmed, the vulnerability's simplicity makes it a likely target for attackers. Vigilance and prompt patching are crucial.
Refer to the FileThingie project's official website or security advisories for the most up-to-date information and guidance.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.