Cyber Resilience

CVE-2025-34111

CriticalPublic PoC

Published: 15 July 2025

Published
15 July 2025
Modified
03 October 2025
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.8387 99.3th percentile
Risk Priority 69 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-34111 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Tiki Tikiwiki Cms\/Groupware. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SI-10 (Information Input Validation).

Deeper analysis

An unauthenticated arbitrary file upload vulnerability affects Tiki Wiki CMS Groupware versions 15.1 and earlier. The flaw resides in the ELFinder component's default connector at /vendor_extra/elfinder/connector.minimal.php, which performs no file type validation and permits remote attackers to upload executable PHP scripts directly to the web server.

Remote unauthenticated attackers can exploit the issue by crafting a POST request through the exposed ELFinder interface, resulting in arbitrary code execution with the privileges of the web server process. The vulnerability maps to CWE-20, CWE-306, and CWE-434 and carries a CVSS 4.0 score of 9.3.

Public advisories, including the Tiki security announcement for versions 15.2, 14.4, and 12.9, recommend immediate upgrade to a patched release. Public exploit code is available in Metasploit and Exploit-DB, and the EPSS score has reached 0.8387, indicating substantial exploitation interest.

EU & UK References

Vulnerability details

An unauthenticated arbitrary file upload vulnerability exists in Tiki Wiki CMS Groupware version 15.1 and earlier via the ELFinder component's default connector (connector.minimal.php), which allows remote attackers to upload and execute malicious PHP scripts in the context of the web…

more

server. The vulnerable component does not enforce file type validation, allowing attackers to craft a POST request to upload executable PHP payloads through the ELFinder interface exposed at /vendor_extra/elfinder/.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unauthenticated arbitrary PHP file upload to public web app (ELFinder endpoint) directly enables T1190 (Exploit Public-Facing Application) and installation/execution of a web shell (T1505.003) for RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-27891Shared CWE-20, CWE-434
CVE-2026-32985Shared CWE-306, CWE-434
CVE-2024-13011Shared CWE-434
CVE-2025-8323Shared CWE-434
CVE-2026-35164Shared CWE-434
CVE-2026-2097Shared CWE-434
CVE-2026-42748Shared CWE-434
CVE-2026-33704Shared CWE-434
CVE-2025-30996Shared CWE-434
CVE-2026-32482Shared CWE-434

Affected Assets

tiki
tikiwiki cms\/groupware
≤ 15.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the arbitrary file upload vulnerability by identifying, reporting, and remediating flaws through vendor patches like Tiki 15.2.

prevent

Enforces validation of file inputs to the ELFinder connector.minimal.php, preventing uploads of dangerous PHP executable scripts due to improper input validation.

prevent

Protects the publicly exposed /vendor_extra/elfinder/ endpoint from unauthenticated arbitrary file uploads by enforcing access controls and security measures on public system elements.

References