CVE-2022-50912
Published: 13 January 2026
Summary
CVE-2022-50912 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Impresscms Impresscms. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of file upload inputs for expected content, format, and type to prevent bypass of extension sanitization with dangerous PHP variants.
Restricts file uploads to only authorized safe types and sources, blocking submission of files with alternative PHP-executable extensions like .php2 or .pht.
Deploys malicious code protection mechanisms at web server entry points to scan and block uploaded PHP payloads before execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an unrestricted file upload in a public-facing web application (ImpressCMS CMS), directly enabling T1190 (Exploit Public-Facing Application) for unauthenticated remote code execution. It facilitates uploading and executing arbitrary PHP code, commonly as a web shell (T1100).
NVD Description
ImpressCMS 1.4.4 contains a file upload vulnerability with weak extension sanitization that allows attackers to upload potentially malicious files. Attackers can bypass file upload restrictions by using alternative file extensions .php2.php6.php7.phps.pht to execute arbitrary PHP code on the server.
Deeper analysisAI
CVE-2022-50912 affects ImpressCMS version 1.4.4 and involves a file upload vulnerability stemming from weak extension sanitization. This flaw enables attackers to upload potentially malicious files by bypassing restrictions through alternative extensions such as .php2, .php6, .php7, .phps, or .pht, ultimately allowing execution of arbitrary PHP code on the server. The vulnerability carries a CVSS score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-434 (Unrestricted Upload of File with Dangerous Type).
The attack scenario targets the file upload functionality accessible over the network, exploitable by unauthenticated remote attackers without requiring user interaction. Successful exploitation permits attackers to upload and execute malicious PHP payloads, achieving high-impact confidentiality, integrity, and availability compromises, such as server takeover or code execution in the context of the web server.
Reference advisories include the VulnCheck advisory at https://www.vulncheck.com/advisories/impresscms-unrestricted-file-upload, ImpressCMS GitHub at https://github.com/ImpressCMS/impresscms, the official site at https://www.impresscms.org/, and a public exploit at https://www.exploit-db.com/exploits/50890. Practitioners should review these sources for mitigation details and available patches.
Details
- CWE(s)