Cyber Resilience

CVE-2019-25673

HighPublic PoC

Published: 05 April 2026

Published
05 April 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0041 32.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2019-25673 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2019-25673 is an arbitrary file upload vulnerability affecting UniSharp Laravel File Manager versions v2.0.0-alpha7 and v2.0. The flaw allows authenticated attackers to upload malicious files by sending multipart form data to the upload endpoint, specifically PHP files with the type parameter set to Files. Once uploaded, attackers can execute arbitrary code by accessing the file through the working directory path. The vulnerability is rated with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).

The attack requires low-privilege authenticated access (PR:L) over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Exploiting it enables remote code execution, granting high-impact confidentiality, integrity, and availability compromises (C:H/I:H/A:H) on the affected system.

Mitigation details are available in referenced advisories, including the GitHub repository at https://github.com/UniSharp/laravel-filemanager, issue tracker at https://github.com/UniSharp/laravel-filemanager/issues/356, an Exploit-DB entry at https://www.exploit-db.com/exploits/46389, and a Vulncheck advisory at https://www.vulncheck.com/advisories/unisharp-laravel-file-manager-alpha7-arbitrary-file-upload.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

UniSharp Laravel File Manager v2.0.0-alpha7 and v2.0 contain an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by sending multipart form data to the upload endpoint. Attackers can upload PHP files with the type parameter set…

more

to Files and execute arbitrary code by accessing the uploaded file through the working directory path.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Arbitrary PHP file upload directly enables web shell deployment (T1100) on a public-facing Laravel app, with initial access via exploitation of the vulnerable upload endpoint (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-22654Shared CWE-434
CVE-2025-11948Shared CWE-434
CVE-2025-67260Shared CWE-434
CVE-2025-28915Shared CWE-434
CVE-2023-53956Shared CWE-434
CVE-2025-6058Shared CWE-434
CVE-2021-47819Shared CWE-434
CVE-2025-7852Shared CWE-434
CVE-2026-4883Shared CWE-434
CVE-2019-25630Shared CWE-434

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces validation of uploaded files to reject dangerous types like PHP, preventing arbitrary file upload and subsequent code execution.

prevent

Requires timely identification, reporting, and patching of flaws like CVE-2019-25673 in vulnerable components such as UniSharp Laravel File Manager.

preventdetect

Deploys malicious code protection at upload endpoints to scan and block PHP shells or other executable malicious files before storage and execution.

References