CVE-2025-52207
Published: 27 June 2025
Summary
CVE-2025-52207 is a critical-severity Relative Path Traversal (CWE-23) vulnerability in Mikopbx (inferred from references). Its CVSS base score is 9.9 (Critical).
Operationally, ranked in the top 6.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2025-52207 is a path traversal vulnerability (CWE-23) in the PBXCoreREST/Controllers/Files/PostController.php component of MikoPBX versions through 2024.1.114. The flaw permits an authenticated user to upload a PHP script to an arbitrary directory on the server, rated at CVSS 9.9 with network attack vector, low complexity, and changed scope.
An attacker with low-privileged API access can exploit the issue remotely to place executable code outside intended upload paths, enabling full compromise of confidentiality and integrity along with partial availability impact on the affected PBX system.
The referenced commit 3ee785429d3f1b33c9ab387ef4221127c9b8c5f3 on the MikoPBX Core repository addresses the upload logic, and the project site at mikopbx.com provides the primary distribution point for updated releases.
EPSS remains flat at 0.0987 with no material rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-19422
Vulnerability details
PBXCoreREST/Controllers/Files/PostController.php in MikoPBX through 2024.1.114 allows uploading a PHP script to an arbitrary directory.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.