CVE-2022-40797
Published: 09 November 2022
Summary
CVE-2022-40797 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Roxyfileman Roxy Fileman. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 5.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Roxy Fileman version 1.4.6 contains an unrestricted file upload vulnerability tracked as CVE-2022-40797. The component's default configuration in conf.json restricts only .php, .php4, and .php5 extensions under FORBIDDEN_UPLOADS, allowing .phar files to be uploaded. In common web-server setups where the PHP interpreter handles .phar requests, this leads directly to remote code execution with a CVSS 3.1 score of 9.8.
An unauthenticated remote attacker can upload a malicious .phar file and then invoke it via HTTP request to execute arbitrary code on the server. The attack requires no user interaction or authentication and grants full control over the affected application and underlying host in vulnerable configurations.
Public references consist primarily of exploit code and proof-of-concept reports on Packet Storm along with a configuration note from the Debian PHP package; no official vendor patch or mitigation guidance appears among the listed sources.
The EPSS score for this CVE rose from low values to a peak of 0.4314 on 2025-01-22 before receding to the current 0.1265, indicating a clear increase in observed exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-44063
Vulnerability details
Roxy Fileman 1.4.6 allows Remote Code Execution via a .phar upload, because the default FORBIDDEN_UPLOADS value in conf.json only blocks .php, .php4, and .php5 files. (Visiting any .phar file invokes the PHP interpreter in some realistic web-server configurations.)
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.
Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.
Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.
Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.