Cyber Resilience

CVE-2019-25471

CriticalPublic PoC

Published: 11 March 2026

Published
11 March 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0090 55.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2019-25471 is a critical-severity Path Traversal (CWE-22) vulnerability in Leefish File Thingie. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2019-25471 is an arbitrary file upload vulnerability in FileThingie 2.5.7, affecting the ft2.php endpoint. The flaw allows attackers to upload malicious files by sending ZIP archives, which the application processes using its unzip functionality to extract contents into accessible directories. This enables the inclusion of PHP shells or other malicious payloads within the archives.

The vulnerability can be exploited by unauthenticated remote attackers over the network with low attack complexity and no user interaction required, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and mapping to CWE-22. Successful exploitation allows attackers to execute arbitrary commands through the extracted PHP files, achieving high impacts on confidentiality, integrity, and availability via remote code execution.

Advisories and related resources, including the Vulncheck advisory at https://www.vulncheck.com/advisories/filethingie-arbitrary-file-upload-via-ft2-php, Exploit-DB entry at https://www.exploit-db.com/exploits/47349, and FileThingie source archive at https://github.com/leefish/filethingie/archive/master.zip, provide further details on exploitation and potential mitigation steps.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

FileThingie 2.5.7 contains an arbitrary file upload vulnerability that allows attackers to upload malicious files by sending ZIP archives through the ft2.php endpoint. Attackers can upload ZIP files containing PHP shells, use the unzip functionality to extract them into accessible…

more

directories, and execute arbitrary commands through the extracted PHP files.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Arbitrary file upload in public-facing web application (T1190) enables uploading and extracting PHP web shells (T1100) for remote code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2023-53942Same product: Leefish File Thingie
CVE-2025-24406Shared CWE-22
CVE-2026-24848Shared CWE-22
CVE-2024-11642Shared CWE-22
CVE-2026-36760Shared CWE-22
CVE-2024-44373Shared CWE-22
CVE-2026-33529Shared CWE-22
CVE-2026-7519Shared CWE-22
CVE-2019-25480Shared CWE-22
CVE-2026-39844Shared CWE-22

Affected Assets

leefish
file thingie
≤ 2.5.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the arbitrary file upload flaw in FileThingie 2.5.7's ft2.php endpoint to prevent exploitation via malicious ZIP archives.

prevent

Validates uploaded ZIP archives and their contents at the ft2.php endpoint to block malicious PHP shells from being processed and extracted.

prevent

Restricts file uploads at the ft2.php endpoint to safe, non-executable types excluding ZIP archives and PHP files containing potential shells.

References