CVE-2025-66802

CriticalPublic PoC

Published: 12 January 2026

Published

12 January 2026

Modified

22 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0067 71.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-66802 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Covid-19 Contact Tracing System Project Covid-19 Contact Tracing System. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 28.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 enforces information input validation at upload points to check content-type, structure, and encoding, directly preventing acceptance of PHP reverse shells disguised as images.

SI-3 Malicious Code Protection good match

preventdetect

SI-3 requires malicious code protection mechanisms at system entry points like file uploads to detect and eradicate reverse shell payloads embedded in images.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates timely identification, reporting, and correction of flaws like unrestricted file uploads, remediating the root cause of this RCE vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

The vulnerability enables exploitation of a public-facing web application (T1190) via unrestricted file upload, allowing deployment of a PHP reverse shell (T1100) for remote code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Sourcecodester Covid-19 Contact Tracing System 1.0 is vulnerable to RCE (Remote Code Execution). The application receives a reverse shell (php) into imagem of the user enabling RCE.

Deeper analysisAI

CVE-2025-66802 is a critical remote code execution (RCE) vulnerability affecting Sourcecodester Covid-19 Contact Tracing System 1.0. The flaw allows attackers to upload a PHP reverse shell disguised within a user image, enabling arbitrary code execution on the server. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).

An unauthenticated attacker can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By submitting a malicious image containing a PHP reverse shell through the application's upload functionality, the attacker gains full RCE, potentially compromising confidentiality, integrity, and availability of the system, such as executing commands, stealing data, or deploying malware.

Advisories and additional details are available in the provided references, including a Feedly entry at https://feedly.com/cve/CVE-2022-2746 and a GitHub repository at https://github.com/mtgsjr/CVE-2025-66802, which likely contain proof-of-concept exploits or further analysis. No specific patch or mitigation steps are detailed in the core CVE information.