Cyber Resilience

CVE-2025-50881

HighRCE

Published: 16 March 2026

Published
16 March 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0080 51.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-50881 is a high-severity Code Injection (CWE-94) vulnerability in Advanced (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-50881 is a remote code execution vulnerability in the `flow/admin/moniteur.php` script of the Use It Flow administration website versions before 10.0.0. The flaw arises when handling GET requests: the script accepts user-supplied input from the `action` URL parameter without sufficient validation, incorporates it into a string executed via PHP's `eval()` function, and performs a `method_exists()` check that only validates the input portion before the first parenthesis `(`. This allows attackers to append arbitrary PHP code after a valid method call structure. The vulnerability is rated 8.8 on the CVSS 3.1 scale (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-94 (Code Injection).

An attacker with low privileges (PR:L), such as an unauthenticated user or one with trivial authentication, can exploit this over the network with no user interaction required. By crafting a malicious `action` parameter that passes the partial validation but injects executable PHP code, they achieve arbitrary code execution on the server under the privileges of the web server process. This grants high confidentiality, integrity, and availability impacts, potentially leading to full server compromise.

Mitigation details are available in advisories referenced at http://advanced.com, http://use.com, and https://github.com/0xdeadbit/CVE-2025-50881, which security practitioners should review for patching instructions and workarounds. The CVE was published on 2026-03-16.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The `flow/admin/moniteur.php` script in Use It Flow administration website before 10.0.0 is vulnerable to Remote Code Execution. When handling GET requests, the script takes user-supplied input from the `action` URL parameter, performs insufficient validation, and incorporates this input into a…

more

string that is subsequently executed by the `eval()` function. Although a `method_exists()` check is performed, it only validates the part of the user input *before* the first parenthesis `(`, allowing an attacker to append arbitrary PHP code after a valid method call structure. Successful exploitation allows an unauthenticated or trivially authenticated attacker to execute arbitrary PHP code on the server with the privileges of the web server process.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows remote code execution via a crafted GET request to a public-facing web application endpoint, directly mapping to Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41229Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2026-40563Shared CWE-94
CVE-2024-32641Shared CWE-94
CVE-2025-71243Shared CWE-94
CVE-2026-2052Shared CWE-94
CVE-2026-9170Shared CWE-94
CVE-2025-54451Shared CWE-94
CVE-2025-50692Shared CWE-94
CVE-2025-22204Shared CWE-94

Affected Assets

Advanced
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates validation of user-supplied 'action' URL parameter inputs to block insufficiently sanitized data from reaching the eval() function and enabling code injection.

prevent

Requires identification, reporting, and correction of the specific code injection flaw in flow/admin/moniteur.php via patching to version 10.0.0 or later.

prevent

Restricts the 'action' parameter to only valid method names or predefined values, preventing attackers from appending arbitrary PHP code after the partial method_exists() check.

References