CVE-2025-34111
Published: 15 July 2025
Summary
CVE-2025-34111 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Tiki Tikiwiki Cms\/Groupware. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SI-10 (Information Input Validation).
Deeper analysis
An unauthenticated arbitrary file upload vulnerability affects Tiki Wiki CMS Groupware versions 15.1 and earlier. The flaw resides in the ELFinder component's default connector at /vendor_extra/elfinder/connector.minimal.php, which performs no file type validation and permits remote attackers to upload executable PHP scripts directly to the web server.
Remote unauthenticated attackers can exploit the issue by crafting a POST request through the exposed ELFinder interface, resulting in arbitrary code execution with the privileges of the web server process. The vulnerability maps to CWE-20, CWE-306, and CWE-434 and carries a CVSS 4.0 score of 9.3.
Public advisories, including the Tiki security announcement for versions 15.2, 14.4, and 12.9, recommend immediate upgrade to a patched release. Public exploit code is available in Metasploit and Exploit-DB, and the EPSS score has reached 0.8387, indicating substantial exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21425
Vulnerability details
An unauthenticated arbitrary file upload vulnerability exists in Tiki Wiki CMS Groupware version 15.1 and earlier via the ELFinder component's default connector (connector.minimal.php), which allows remote attackers to upload and execute malicious PHP scripts in the context of the web…
more
server. The vulnerable component does not enforce file type validation, allowing attackers to craft a POST request to upload executable PHP payloads through the ELFinder interface exposed at /vendor_extra/elfinder/.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated arbitrary PHP file upload to public web app (ELFinder endpoint) directly enables T1190 (Exploit Public-Facing Application) and installation/execution of a web shell (T1505.003) for RCE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the arbitrary file upload vulnerability by identifying, reporting, and remediating flaws through vendor patches like Tiki 15.2.
Enforces validation of file inputs to the ELFinder connector.minimal.php, preventing uploads of dangerous PHP executable scripts due to improper input validation.
Protects the publicly exposed /vendor_extra/elfinder/ endpoint from unauthenticated arbitrary file uploads by enforcing access controls and security measures on public system elements.