Cyber Resilience

CVE-2018-25158

HighPublic PoC

Published: 20 February 2026

Published
20 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0038 29.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2018-25158 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-9 (Information Input Restrictions).

Deeper analysis

Chamilo LMS version 1.11.8 is affected by CVE-2018-25158, an arbitrary file upload vulnerability in the elfinder filemanager module. This issue enables authenticated users to upload files with image headers via the social myfiles section, rename them to PHP extensions, and execute arbitrary PHP code by directly accessing the uploaded files. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-434 (Unrestricted Upload of File with Dangerous Type).

Authenticated users with low-privilege access can exploit this vulnerability over the network with low attack complexity and no user interaction required. By abusing the elfinder module, attackers upload malicious PHP payloads disguised as images, rename them server-side, and trigger code execution upon access, achieving high impacts on confidentiality, integrity, and availability, such as server compromise or persistent backdoor deployment.

Advisories and resources including the VulnCheck advisory (https://www.vulncheck.com/advisories/chamilo-lms-arbitrary-file-upload-via-elfinder), an Exploit-DB proof-of-concept (https://www.exploit-db.com/exploits/47423), and the Chamilo LMS GitHub repository (https://github.com/chamilo/chamilo-lms) provide details on the issue and potential remediation steps.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Chamilo LMS 1.11.8 contains an arbitrary file upload vulnerability that allows authenticated users to upload and execute PHP files through the elfinder filemanager module. Attackers can upload files with image headers in the social myfiles section, rename them to PHP…

more

extensions, and execute arbitrary code by accessing the uploaded files.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Arbitrary file upload in public-facing web app directly enables remote code execution via web shell deployment.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-22654Shared CWE-434
CVE-2025-11948Shared CWE-434
CVE-2025-67260Shared CWE-434
CVE-2025-28915Shared CWE-434
CVE-2023-53956Shared CWE-434
CVE-2025-6058Shared CWE-434
CVE-2021-47819Shared CWE-434
CVE-2025-7852Shared CWE-434
CVE-2026-4883Shared CWE-434
CVE-2019-25630Shared CWE-434

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates file content and types in elfinder uploads to reject PHP scripts disguised with image headers, directly preventing CWE-434 unrestricted dangerous file uploads.

prevent

Restricts file extensions and types allowed in the social myfiles section to block PHP uploads and renames, stopping exploitation of the elfinder module.

preventdetect

Scans uploaded files for malicious PHP code before storage or execution, mitigating disguised payloads in the vulnerable filemanager.

References