Cyber Resilience

CVE-2019-25480

HighPublic PoC

Published: 11 March 2026

Published
11 March 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0072 49.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2019-25480 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-8 (Identification and Authentication (Non-organizational Users)).

Deeper analysis

CVE-2019-25480 is an unrestricted file upload vulnerability in the upload.php component of ARMBot. The flaw allows unauthenticated attackers to upload arbitrary files by manipulating the file parameter with path traversal sequences, such as ../public_html/, which enables writing executable PHP code to the web root and achieving remote code execution. It is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Unauthenticated attackers with network access can exploit this vulnerability due to its low attack complexity and lack of prerequisites. By sending a crafted request to upload.php, they can bypass file restrictions and place malicious PHP files in the web server's root directory, leading to arbitrary code execution on the affected system.

Advisories and references, including those from VulnCheck (https://www.vulncheck.com/advisories/armbot-unrestricted-file-upload-via-upload-php) and an Exploit-DB entry (https://www.exploit-db.com/exploits/47209), detail the vulnerability and provide proof-of-concept exploit code. No specific patches or mitigation steps are outlined in the available information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

ARMBot contains an unrestricted file upload vulnerability in upload.php that allows unauthenticated attackers to upload arbitrary files by manipulating the file parameter with path traversal sequences. Attackers can upload PHP files with traversal payloads ../public_html/ to write executable code to…

more

the web root and achieve remote code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unrestricted file upload with path traversal on public-facing upload.php enables web shell deployment and RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-24406Shared CWE-22
CVE-2026-24848Shared CWE-22
CVE-2024-11642Shared CWE-22
CVE-2026-36760Shared CWE-22
CVE-2024-44373Shared CWE-22
CVE-2026-33529Shared CWE-22
CVE-2026-7519Shared CWE-22
CVE-2026-39844Shared CWE-22
CVE-2026-34607Shared CWE-22
CVE-2025-65346Shared CWE-22

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates the file parameter in upload.php to reject path traversal sequences like ../public_html/, preventing arbitrary file placement in the web root.

prevent

Requires identification and authentication for non-organizational users accessing the upload functionality, blocking unauthenticated attackers from exploiting the vulnerability.

prevent

Enforces approved access control policies to restrict logical writes to system resources like the web root directory, mitigating path traversal-based file uploads.

References