Cyber Resilience

CVE-2025-63994

CriticalPublic PoC

Published: 18 November 2025

Published
18 November 2025
Modified
31 December 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0029 52.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-63994 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Psolom Richfilemanager. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Ingress Tool Transfer (T1105); ranked in the top 47.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-63994, published on 2025-11-18, is an arbitrary file upload vulnerability in the /php/UploadHandler.php component of RichFilemanager version 2.7.6. The flaw enables attackers to execute arbitrary code by uploading a crafted file and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type). It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and high impact potential.

Remote attackers without authentication or privileges can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation allows uploading a malicious file, leading to arbitrary code execution on the affected server, potentially resulting in full compromise with high impacts on confidentiality, integrity, and availability.

Advisories and further details are available in the GitHub issue at https://github.com/psolom/RichFilemanager/issues/412.

EU & UK References

Vulnerability details

An arbitrary file upload vulnerability in the /php/UploadHandler.php component of RichFilemanager v2.7.6 allows attackers to execute arbitrary code via uploading a crafted file.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unauthenticated arbitrary file upload vulnerability in public-facing web component (/php/UploadHandler.php) to web-accessible directory enables ingress tool transfer (T1105), exploitation of public-facing application (T1190), and web shell deployment/execution (T1505.003) for RCE.

CVEs Like This One

CVE-2025-6207Shared CWE-434
CVE-2024-50620Shared CWE-434
CVE-2025-12171Shared CWE-434
CVE-2025-26325Shared CWE-434
CVE-2025-6079Shared CWE-434
CVE-2024-13448Shared CWE-434
CVE-2025-51056Shared CWE-434
CVE-2025-66256Shared CWE-434
CVE-2026-32523Shared CWE-434
CVE-2025-6423Shared CWE-434

Affected Assets

psolom
richfilemanager
2.7.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the specific flaw in /php/UploadHandler.php by identifying, prioritizing, and correcting the arbitrary file upload vulnerability through patching or code fixes.

prevent

Requires validation of uploaded files for type, content, and dangerous characteristics to block crafted files that enable arbitrary code execution.

preventdetect

Deploys malicious code protection at system entry points to scan and eradicate uploaded crafted files before they can execute arbitrary code.

References