CVE-2025-34111
Published: 15 July 2025
Summary
CVE-2025-34111 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Tiki Tikiwiki Cms\/Groupware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the arbitrary file upload vulnerability by identifying, reporting, and remediating flaws through vendor patches like Tiki 15.2.
Enforces validation of file inputs to the ELFinder connector.minimal.php, preventing uploads of dangerous PHP executable scripts due to improper input validation.
Protects the publicly exposed /vendor_extra/elfinder/ endpoint from unauthenticated arbitrary file uploads by enforcing access controls and security measures on public system elements.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated arbitrary PHP file upload to public web app (ELFinder endpoint) directly enables T1190 (Exploit Public-Facing Application) and installation/execution of a web shell (T1505.003) for RCE.
NVD Description
An unauthenticated arbitrary file upload vulnerability exists in Tiki Wiki CMS Groupware version 15.1 and earlier via the ELFinder component's default connector (connector.minimal.php), which allows remote attackers to upload and execute malicious PHP scripts in the context of the web…
more
server. The vulnerable component does not enforce file type validation, allowing attackers to craft a POST request to upload executable PHP payloads through the ELFinder interface exposed at /vendor_extra/elfinder/.
Deeper analysisAI
CVE-2025-34111 is an unauthenticated arbitrary file upload vulnerability in Tiki Wiki CMS Groupware version 15.1 and earlier. The issue resides in the ELFinder component's default connector, connector.minimal.php, which fails to enforce file type validation. This exposed endpoint at /vendor_extra/elfinder/ permits remote attackers to craft POST requests that upload executable PHP payloads for execution within the web server context. The vulnerability is associated with CWEs-20 (Improper Input Validation), CWE-306 (Missing Authentication for Critical Function), and CWE-434 (Unrestricted Upload of File with Dangerous Type), earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction or privileges required. Exploitation involves sending a malicious file upload request to the ELFinder connector, resulting in arbitrary PHP code execution on the server. This grants attackers high-impact control over confidentiality, integrity, and availability, effectively enabling full remote code execution (RCE) in the web server's context.
Tiki.org advisories detail security updates that mitigate the issue, including releases of Tiki 15.2, 14.4, and 12.9. Public proof-of-concept exploits confirm reliability, with a Metasploit module available at the Rapid7 repository and an Exploit-DB entry (40091). The Vulncheck advisory further describes the unauthenticated file upload leading to RCE, recommending upgrades to patched versions and potential endpoint restrictions.
Exploits are publicly documented, indicating potential for widespread exploitation targeting unpatched Tiki Wiki instances.
Details
- CWE(s)