CVE-2025-63994

CriticalPublic PoC

Published: 18 November 2025

Published

18 November 2025

Modified

31 December 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0029 51.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-63994 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Psolom Richfilemanager. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Ingress Tool Transfer (T1105); ranked in the top 48.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Ingress Tool Transfer (T1105) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the specific flaw in /php/UploadHandler.php by identifying, prioritizing, and correcting the arbitrary file upload vulnerability through patching or code fixes.

SI-10 Information Input Validation good match

prevent

Requires validation of uploaded files for type, content, and dangerous characteristics to block crafted files that enable arbitrary code execution.

SI-3 Malicious Code Protection good match

preventdetect

Deploys malicious code protection at system entry points to scan and eradicate uploaded crafted files before they can execute arbitrary code.

MITRE ATT&CK Enterprise TechniquesAI

T1105 Ingress Tool Transfer Command And Control

Adversaries may transfer tools or other files from an external system into a compromised environment.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Unauthenticated arbitrary file upload vulnerability in public-facing web component (/php/UploadHandler.php) to web-accessible directory enables ingress tool transfer (T1105), exploitation of public-facing application (T1190), and web shell deployment/execution (T1505.003) for RCE.

NVD Description

An arbitrary file upload vulnerability in the /php/UploadHandler.php component of RichFilemanager v2.7.6 allows attackers to execute arbitrary code via uploading a crafted file.

Deeper analysisAI

CVE-2025-63994, published on 2025-11-18, is an arbitrary file upload vulnerability in the /php/UploadHandler.php component of RichFilemanager version 2.7.6. The flaw enables attackers to execute arbitrary code by uploading a crafted file and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type). It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and high impact potential.

Remote attackers without authentication or privileges can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation allows uploading a malicious file, leading to arbitrary code execution on the affected server, potentially resulting in full compromise with high impacts on confidentiality, integrity, and availability.

Advisories and further details are available in the GitHub issue at https://github.com/psolom/RichFilemanager/issues/412.