CVE-2025-69990
Published: 13 January 2026
Summary
CVE-2025-69990 is a critical-severity Files or Directories Accessible to External Parties (CWE-552) vulnerability in Phpgurukul News Portal. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the insufficient validation of the 'file' parameter in remove_file.php by requiring input validation mechanisms to reject arbitrary file paths.
Enforces approved authorizations for file system access, preventing unauthenticated arbitrary file deletions through the vulnerable endpoint.
Applies least privilege to the web application process, limiting the scope of deletable files and mitigating damage from arbitrary deletion attempts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directly enables exploitation of public-facing web application (T1190) for arbitrary file deletion (T1070.004), facilitating data destruction (T1485) via service disruption and data loss.
NVD Description
phpgurukul News Portal Project V4.1 has an Arbitrary File Deletion Vulnerability in remove_file.php. The parameter file can cause any file to be deleted.
Deeper analysisAI
CVE-2025-69990 is an arbitrary file deletion vulnerability in the phpgurukul News Portal Project version 4.1. The flaw exists in the remove_file.php component, where the 'file' parameter is insufficiently validated, enabling attackers to specify and delete any file on the server. This issue, published on 2026-01-13, carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) and is associated with CWE-552 (Files or Directories Accessible to External Parties).
Remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no privileges, authentication, or user interaction. Unauthenticated exploitation allows deletion of arbitrary files, leading to high impacts on integrity (I:H) and availability (A:H), with no confidentiality impact (C:N). This could result in service disruption, data loss, or compromise of the hosting environment by targeting critical system files.
Mitigation details are available in the referenced advisory at https://github.com/Y4y17/CVE/blob/main/News%20Portal%20Project/File%20deletion%20vulnerability.md.
Details
- CWE(s)