Cyber Resilience

CVE-2025-50286

HighPublic PoC

Published: 06 August 2025

Published
06 August 2025
Modified
07 November 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7313 98.8th percentile
Risk Priority 60 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-50286 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Getgrav Grav. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-50286 is a remote code execution vulnerability affecting Grav CMS version 1.7.48. It arises in the plugin installation workflow at the /admin/tools/direct-install interface, where an uploaded archive is automatically extracted and loaded without sufficient validation of its contents, enabling execution of arbitrary PHP code. The issue is tracked under CWE-434 and carries a CVSS 3.1 score of 8.1.

An authenticated administrator can exploit the flaw by uploading a crafted malicious plugin through the affected interface. Once the archive is processed, the embedded PHP payload executes in the context of the web application, granting the attacker the ability to run arbitrary commands and establish a reverse shell.

The single reference URL leads to a GitHub repository that documents the vulnerability and likely contains proof-of-concept material, but provides no explicit mitigation guidance or patch details. The associated EPSS score has remained stable at its peak value of 0.7313 with no indicated rise after disclosure.

EU & UK References

Vulnerability details

A Remote Code Execution (RCE) vulnerability in Grav CMS v1.7.48 allows an authenticated admin to upload a malicious plugin via the /admin/tools/direct-install interface. Once uploaded, the plugin is automatically extracted and loaded, allowing arbitrary PHP code execution and reverse shell…

more

access.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Vulnerability enables exploitation of public-facing web application (T1190), uploading malicious plugin ZIP for tool transfer (T1105), and automatic deployment/execution of web shell via PHP code for execution (T1100) and persistence (T1505.003).

CVEs Like This One

CVE-2021-47812Same product: Getgrav Grav
CVE-2025-46198Same product: Getgrav Grav
CVE-2026-42608Same product: Getgrav Grav
CVE-2025-46199Same product: Getgrav Grav
CVE-2026-42612Same product: Getgrav Grav
CVE-2025-66294Same product: Getgrav Grav
CVE-2026-42611Same product: Getgrav Grav
CVE-2026-29924Same product: Getgrav Grav
CVE-2025-66299Same product: Getgrav Grav
CVE-2025-66301Same product: Getgrav Grav

Affected Assets

getgrav
grav
1.7.48

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Prohibits user-installed software, directly preventing authenticated admins from uploading and installing malicious plugins via the direct-install interface.

prevent

Validates information inputs to the plugin upload interface, blocking malicious payloads before extraction and execution.

preventdetect

Deploys malicious code protection mechanisms to scan and block uploaded plugins containing arbitrary PHP code or reverse shells.

References