CVE-2025-50881
Published: 16 March 2026
Summary
CVE-2025-50881 is a high-severity Code Injection (CWE-94) vulnerability in Advanced (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates validation of user-supplied 'action' URL parameter inputs to block insufficiently sanitized data from reaching the eval() function and enabling code injection.
Requires identification, reporting, and correction of the specific code injection flaw in flow/admin/moniteur.php via patching to version 10.0.0 or later.
Restricts the 'action' parameter to only valid method names or predefined values, preventing attackers from appending arbitrary PHP code after the partial method_exists() check.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows remote code execution via a crafted GET request to a public-facing web application endpoint, directly mapping to Exploit Public-Facing Application.
NVD Description
The `flow/admin/moniteur.php` script in Use It Flow administration website before 10.0.0 is vulnerable to Remote Code Execution. When handling GET requests, the script takes user-supplied input from the `action` URL parameter, performs insufficient validation, and incorporates this input into a…
more
string that is subsequently executed by the `eval()` function. Although a `method_exists()` check is performed, it only validates the part of the user input *before* the first parenthesis `(`, allowing an attacker to append arbitrary PHP code after a valid method call structure. Successful exploitation allows an unauthenticated or trivially authenticated attacker to execute arbitrary PHP code on the server with the privileges of the web server process.
Deeper analysisAI
CVE-2025-50881 is a remote code execution vulnerability in the `flow/admin/moniteur.php` script of the Use It Flow administration website versions before 10.0.0. The flaw arises when handling GET requests: the script accepts user-supplied input from the `action` URL parameter without sufficient validation, incorporates it into a string executed via PHP's `eval()` function, and performs a `method_exists()` check that only validates the input portion before the first parenthesis `(`. This allows attackers to append arbitrary PHP code after a valid method call structure. The vulnerability is rated 8.8 on the CVSS 3.1 scale (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-94 (Code Injection).
An attacker with low privileges (PR:L), such as an unauthenticated user or one with trivial authentication, can exploit this over the network with no user interaction required. By crafting a malicious `action` parameter that passes the partial validation but injects executable PHP code, they achieve arbitrary code execution on the server under the privileges of the web server process. This grants high confidentiality, integrity, and availability impacts, potentially leading to full server compromise.
Mitigation details are available in advisories referenced at http://advanced.com, http://use.com, and https://github.com/0xdeadbit/CVE-2025-50881, which security practitioners should review for patching instructions and workarounds. The CVE was published on 2026-03-16.
Details
- CWE(s)