Cyber Resilience

CVE-2022-40797

CriticalPublic PoC

Published: 09 November 2022

Published
09 November 2022
Modified
01 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1265 94.1th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-40797 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Roxyfileman Roxy Fileman. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 5.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Roxy Fileman version 1.4.6 contains an unrestricted file upload vulnerability tracked as CVE-2022-40797. The component's default configuration in conf.json restricts only .php, .php4, and .php5 extensions under FORBIDDEN_UPLOADS, allowing .phar files to be uploaded. In common web-server setups where the PHP interpreter handles .phar requests, this leads directly to remote code execution with a CVSS 3.1 score of 9.8.

An unauthenticated remote attacker can upload a malicious .phar file and then invoke it via HTTP request to execute arbitrary code on the server. The attack requires no user interaction or authentication and grants full control over the affected application and underlying host in vulnerable configurations.

Public references consist primarily of exploit code and proof-of-concept reports on Packet Storm along with a configuration note from the Debian PHP package; no official vendor patch or mitigation guidance appears among the listed sources.

The EPSS score for this CVE rose from low values to a peak of 0.4314 on 2025-01-22 before receding to the current 0.1265, indicating a clear increase in observed exploitation interest after disclosure.

EU & UK References

Vulnerability details

Roxy Fileman 1.4.6 allows Remote Code Execution via a .phar upload, because the default FORBIDDEN_UPLOADS value in conf.json only blocks .php, .php4, and .php5 files. (Visiting any .phar file invokes the PHP interpreter in some realistic web-server configurations.)

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

roxyfileman
roxy fileman
1.4.6

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-434

Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.

addresses: CWE-434

Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.

addresses: CWE-434

Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.

addresses: CWE-434

Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.

References