Cyber Resilience

CVE-2025-66802

CriticalPublic PoC

Published: 12 January 2026

Published
12 January 2026
Modified
22 January 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0079 51.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-66802 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Covid-19 Contact Tracing System Project Covid-19 Contact Tracing System. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-66802 is a critical remote code execution (RCE) vulnerability affecting Sourcecodester Covid-19 Contact Tracing System 1.0. The flaw allows attackers to upload a PHP reverse shell disguised within a user image, enabling arbitrary code execution on the server. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).

An unauthenticated attacker can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By submitting a malicious image containing a PHP reverse shell through the application's upload functionality, the attacker gains full RCE, potentially compromising confidentiality, integrity, and availability of the system, such as executing commands, stealing data, or deploying malware.

Advisories and additional details are available in the provided references, including a Feedly entry at https://feedly.com/cve/CVE-2022-2746 and a GitHub repository at https://github.com/mtgsjr/CVE-2025-66802, which likely contain proof-of-concept exploits or further analysis. No specific patch or mitigation steps are detailed in the core CVE information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Sourcecodester Covid-19 Contact Tracing System 1.0 is vulnerable to RCE (Remote Code Execution). The application receives a reverse shell (php) into imagem of the user enabling RCE.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

The vulnerability enables exploitation of a public-facing web application (T1190) via unrestricted file upload, allowing deployment of a PHP reverse shell (T1100) for remote code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-22654Shared CWE-434
CVE-2025-11948Shared CWE-434
CVE-2025-67260Shared CWE-434
CVE-2025-28915Shared CWE-434
CVE-2023-53956Shared CWE-434
CVE-2025-6058Shared CWE-434
CVE-2021-47819Shared CWE-434
CVE-2025-7852Shared CWE-434
CVE-2026-4883Shared CWE-434
CVE-2019-25630Shared CWE-434

Affected Assets

covid-19 contact tracing system project
covid-19 contact tracing system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 enforces information input validation at upload points to check content-type, structure, and encoding, directly preventing acceptance of PHP reverse shells disguised as images.

preventdetect

SI-3 requires malicious code protection mechanisms at system entry points like file uploads to detect and eradicate reverse shell payloads embedded in images.

prevent

SI-2 mandates timely identification, reporting, and correction of flaws like unrestricted file uploads, remediating the root cause of this RCE vulnerability.

References