Cyber Resilience

CVE-2019-25685

N/A

Published: 05 April 2026

Published
05 April 2026
Modified
19 April 2026
KEV Added
Patch
CVSS Score N/A
EPSS Score 0.0018 40.1th percentile
Risk Priority 0 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-25685 is a uncategorised-severity an unspecified weakness vulnerability. Its CVSS base score is N/A.

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2019-25685 is an arbitrary file upload vulnerability in phpBB, exploitable through the plupload functionality combined with the phar:// stream wrapper. Attackers can upload a crafted ZIP file containing serialized PHP objects, which trigger arbitrary code execution upon deserialization via the imagick parameter in attachment settings. The vulnerability is associated with CWE-22 (Path Traversal) and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

Authenticated attackers with low privileges (PR:L) can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation enables uploading malicious files, leading to remote code execution on the server, with high impacts on confidentiality, integrity, and availability.

Advisories and related resources, including the Vulncheck advisory at https://www.vulncheck.com/advisories/phpbb-arbitrary-file-upload-via-phar-deserialization and a proof-of-concept exploit at https://www.exploit-db.com/exploits/46512, provide further technical details on the issue.

A public exploit is available, highlighting the risk of real-world exploitation in unpatched phpBB installations.

EU & UK References

Vulnerability details

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

CWE(s)
None listed

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2019-25685 enables exploitation of a public-facing phpBB web application via authenticated arbitrary file upload and phar deserialization leading to remote code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely patching of the phpBB arbitrary file upload and phar deserialization flaw.

prevent

Enforces validation of uploaded files to block crafted ZIP files exploiting plupload and phar:// stream wrapper for path traversal and deserialization.

prevent

Establishes secure baseline configurations for phpBB, such as disabling phar stream wrappers or restricting imagick processing in attachment settings.

References