CVE-2019-25685
Published: 05 April 2026
Summary
CVE-2019-25685 is a uncategorised-severity an unspecified weakness vulnerability. Its CVSS base score is N/A.
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2019-25685 is an arbitrary file upload vulnerability in phpBB, exploitable through the plupload functionality combined with the phar:// stream wrapper. Attackers can upload a crafted ZIP file containing serialized PHP objects, which trigger arbitrary code execution upon deserialization via the imagick parameter in attachment settings. The vulnerability is associated with CWE-22 (Path Traversal) and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
Authenticated attackers with low privileges (PR:L) can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation enables uploading malicious files, leading to remote code execution on the server, with high impacts on confidentiality, integrity, and availability.
Advisories and related resources, including the Vulncheck advisory at https://www.vulncheck.com/advisories/phpbb-arbitrary-file-upload-via-phar-deserialization and a proof-of-concept exploit at https://www.exploit-db.com/exploits/46512, provide further technical details on the issue.
A public exploit is available, highlighting the risk of real-world exploitation in unpatched phpBB installations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-20103
Vulnerability details
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2019-25685 enables exploitation of a public-facing phpBB web application via authenticated arbitrary file upload and phar deserialization leading to remote code execution.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the vulnerability by requiring timely patching of the phpBB arbitrary file upload and phar deserialization flaw.
Enforces validation of uploaded files to block crafted ZIP files exploiting plupload and phar:// stream wrapper for path traversal and deserialization.
Establishes secure baseline configurations for phpBB, such as disabling phar stream wrappers or restricting imagick processing in attachment settings.
References
- No references listed