Cyber Resilience

CVE-2025-52207

Critical

Published: 27 June 2025

Published
27 June 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
EPSS Score 0.0987 93.2th percentile
Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-52207 is a critical-severity Relative Path Traversal (CWE-23) vulnerability in Mikopbx (inferred from references). Its CVSS base score is 9.9 (Critical).

Operationally, ranked in the top 6.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2025-52207 is a path traversal vulnerability (CWE-23) in the PBXCoreREST/Controllers/Files/PostController.php component of MikoPBX versions through 2024.1.114. The flaw permits an authenticated user to upload a PHP script to an arbitrary directory on the server, rated at CVSS 9.9 with network attack vector, low complexity, and changed scope.

An attacker with low-privileged API access can exploit the issue remotely to place executable code outside intended upload paths, enabling full compromise of confidentiality and integrity along with partial availability impact on the affected PBX system.

The referenced commit 3ee785429d3f1b33c9ab387ef4221127c9b8c5f3 on the MikoPBX Core repository addresses the upload logic, and the project site at mikopbx.com provides the primary distribution point for updated releases.

EPSS remains flat at 0.0987 with no material rise after disclosure.

EU & UK References

Vulnerability details

PBXCoreREST/Controllers/Files/PostController.php in MikoPBX through 2024.1.114 allows uploading a PHP script to an arbitrary directory.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mikopbx
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References