CVE-2019-25480
Published: 11 March 2026
Summary
CVE-2019-25480 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-8 (Identification and Authentication (Non-organizational Users)).
Deeper analysis
CVE-2019-25480 is an unrestricted file upload vulnerability in the upload.php component of ARMBot. The flaw allows unauthenticated attackers to upload arbitrary files by manipulating the file parameter with path traversal sequences, such as ../public_html/, which enables writing executable PHP code to the web root and achieving remote code execution. It is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Unauthenticated attackers with network access can exploit this vulnerability due to its low attack complexity and lack of prerequisites. By sending a crafted request to upload.php, they can bypass file restrictions and place malicious PHP files in the web server's root directory, leading to arbitrary code execution on the affected system.
Advisories and references, including those from VulnCheck (https://www.vulncheck.com/advisories/armbot-unrestricted-file-upload-via-upload-php) and an Exploit-DB entry (https://www.exploit-db.com/exploits/47209), detail the vulnerability and provide proof-of-concept exploit code. No specific patches or mitigation steps are outlined in the available information.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19760
Vulnerability details
ARMBot contains an unrestricted file upload vulnerability in upload.php that allows unauthenticated attackers to upload arbitrary files by manipulating the file parameter with path traversal sequences. Attackers can upload PHP files with traversal payloads ../public_html/ to write executable code to…
more
the web root and achieve remote code execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload with path traversal on public-facing upload.php enables web shell deployment and RCE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Validates the file parameter in upload.php to reject path traversal sequences like ../public_html/, preventing arbitrary file placement in the web root.
Requires identification and authentication for non-organizational users accessing the upload functionality, blocking unauthenticated attackers from exploiting the vulnerability.
Enforces approved access control policies to restrict logical writes to system resources like the web root directory, mitigating path traversal-based file uploads.