CVE-2018-25158
Published: 20 February 2026
Summary
CVE-2018-25158 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-9 (Information Input Restrictions).
Deeper analysis
Chamilo LMS version 1.11.8 is affected by CVE-2018-25158, an arbitrary file upload vulnerability in the elfinder filemanager module. This issue enables authenticated users to upload files with image headers via the social myfiles section, rename them to PHP extensions, and execute arbitrary PHP code by directly accessing the uploaded files. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-434 (Unrestricted Upload of File with Dangerous Type).
Authenticated users with low-privilege access can exploit this vulnerability over the network with low attack complexity and no user interaction required. By abusing the elfinder module, attackers upload malicious PHP payloads disguised as images, rename them server-side, and trigger code execution upon access, achieving high impacts on confidentiality, integrity, and availability, such as server compromise or persistent backdoor deployment.
Advisories and resources including the VulnCheck advisory (https://www.vulncheck.com/advisories/chamilo-lms-arbitrary-file-upload-via-elfinder), an Exploit-DB proof-of-concept (https://www.exploit-db.com/exploits/47423), and the Chamilo LMS GitHub repository (https://github.com/chamilo/chamilo-lms) provide details on the issue and potential remediation steps.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-21614
Vulnerability details
Chamilo LMS 1.11.8 contains an arbitrary file upload vulnerability that allows authenticated users to upload and execute PHP files through the elfinder filemanager module. Attackers can upload files with image headers in the social myfiles section, rename them to PHP…
more
extensions, and execute arbitrary code by accessing the uploaded files.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload in public-facing web app directly enables remote code execution via web shell deployment.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Validates file content and types in elfinder uploads to reject PHP scripts disguised with image headers, directly preventing CWE-434 unrestricted dangerous file uploads.
Restricts file extensions and types allowed in the social myfiles section to block PHP uploads and renames, stopping exploitation of the elfinder module.
Scans uploaded files for malicious PHP code before storage or execution, mitigating disguised payloads in the vulnerable filemanager.