CVE-2025-46193
Published: 09 May 2025
Summary
CVE-2025-46193 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Lerouxyxchire Client Database Management System. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
SourceCodester Client Database Management System 1.0 contains a remote code execution vulnerability stemming from arbitrary file upload in the user_proposal_update_order.php component. The flaw is tracked as CVE-2025-46193 with a CVSS 3.1 score of 9.8 and is associated with CWE-434, indicating unrestricted file upload that permits execution of attacker-supplied code on the server.
The vulnerability can be exploited remotely by unauthenticated attackers over the network. Successful exploitation grants full control over the affected system, allowing arbitrary code execution that impacts confidentiality, integrity, and availability without requiring user interaction or credentials.
The EPSS score remains flat at 0.0365 with no material increase after disclosure, indicating limited observed exploitation interest to date. The supplied references consist of a technical write-up and general guidance on file-upload weaknesses but contain no vendor advisory or patch details.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-14167
Vulnerability details
SourceCodester Client Database Management System 1.0 is vulnerable to Remote code execution via Arbitrary file upload in user_proposal_update_order.php.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote code execution vulnerability via arbitrary file upload in a public-facing web application (PHP endpoint), enabling adversaries to exploit public-facing applications for initial access.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.
Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.
Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.
Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.