Cyber Resilience

CVE-2025-67164

CriticalPublic PoCRCE

Published: 17 December 2025

Published
17 December 2025
Modified
02 January 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0045 35.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-67164 is a critical-severity OS Command Injection (CWE-78) vulnerability in Pagekit Pagekit. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).

Deeper analysis

CVE-2025-67164 is an authenticated arbitrary file upload vulnerability in the /storage/poc.php component of Pagekit CMS version 1.0.18. Published on 2025-12-17, it enables attackers to execute arbitrary code by uploading a crafted PHP file, with associated weakness enumerations including CWE-78, CWE-94, and CWE-434. The vulnerability carries a CVSS v3.1 base score of 9.9, indicating critical severity.

An attacker with low privileges (PR:L), such as an authenticated user, can exploit this remotely (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation changes scope (S:C) and results in high impacts to confidentiality (C:H), integrity (I:H), and availability (A:H), potentially allowing full remote code execution on the server.

A proof-of-concept exploit is documented in the vulnerability research repository at https://github.com/mbiesiad/vulnerability-research/tree/main/CVE-2025-67164. No official advisories or patch details are specified in the available information.

EU & UK References

Vulnerability details

An authenticated arbitrary file upload vulnerability in the /storage/poc.php component of Pagekit CMS v1.0.18 allows attackers to execute arbitrary code via uploading a crafted PHP file.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

The vulnerability is an authenticated arbitrary file upload in a public-facing CMS, enabling exploitation of public-facing applications (T1190) to deploy and execute a PHP web shell (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-67165Same product: Pagekit Pagekit
CVE-2025-58159Shared CWE-434, CWE-94
CVE-2025-22133Shared CWE-434, CWE-94
CVE-2025-58745Shared CWE-434, CWE-94
CVE-2025-5243Shared CWE-434, CWE-78
CVE-2026-0911Shared CWE-434
CVE-2026-40412Shared CWE-434
CVE-2025-23921Shared CWE-434
CVE-2025-5831Shared CWE-434
CVE-2025-25361Shared CWE-434

Affected Assets

pagekit
pagekit
1.0.18

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the arbitrary file upload vulnerability by validating uploaded file types, extensions, and content to block crafted PHP files.

preventdetect

Scans uploaded files in real-time for malicious code, preventing storage and execution of crafted PHP shells that enable arbitrary code execution.

prevent

Restricts file upload inputs to approved types and formats, limiting the ability to upload executable PHP files even for authenticated users.

References