CVE-2025-50286
Published: 06 August 2025
Summary
CVE-2025-50286 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Getgrav Grav. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-50286 is a remote code execution vulnerability affecting Grav CMS version 1.7.48. It arises in the plugin installation workflow at the /admin/tools/direct-install interface, where an uploaded archive is automatically extracted and loaded without sufficient validation of its contents, enabling execution of arbitrary PHP code. The issue is tracked under CWE-434 and carries a CVSS 3.1 score of 8.1.
An authenticated administrator can exploit the flaw by uploading a crafted malicious plugin through the affected interface. Once the archive is processed, the embedded PHP payload executes in the context of the web application, granting the attacker the ability to run arbitrary commands and establish a reverse shell.
The single reference URL leads to a GitHub repository that documents the vulnerability and likely contains proof-of-concept material, but provides no explicit mitigation guidance or patch details. The associated EPSS score has remained stable at its peak value of 0.7313 with no indicated rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-23842
Vulnerability details
A Remote Code Execution (RCE) vulnerability in Grav CMS v1.7.48 allows an authenticated admin to upload a malicious plugin via the /admin/tools/direct-install interface. Once uploaded, the plugin is automatically extracted and loaded, allowing arbitrary PHP code execution and reverse shell…
more
access.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables exploitation of public-facing web application (T1190), uploading malicious plugin ZIP for tool transfer (T1105), and automatic deployment/execution of web shell via PHP code for execution (T1100) and persistence (T1505.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Prohibits user-installed software, directly preventing authenticated admins from uploading and installing malicious plugins via the direct-install interface.
Validates information inputs to the plugin upload interface, blocking malicious payloads before extraction and execution.
Deploys malicious code protection mechanisms to scan and block uploaded plugins containing arbitrary PHP code or reverse shells.