CVE-2022-50912: ImpressCMS File Upload RCE Vulnerability

CVE-2022-50912 Overview

CVE-2022-50912 is a critical file upload vulnerability affecting ImpressCMS 1.4.4 that stems from weak file extension sanitization in the content management system. This vulnerability allows attackers to bypass file upload restrictions by using alternative PHP file extensions such as .php2, .php6, .php7, .phps, and .pht, ultimately enabling arbitrary PHP code execution on the server.

The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), which represents a significant security risk in web applications that accept user file uploads without proper validation and sanitization of file types.

Critical Impact
Successful exploitation allows remote attackers to upload malicious PHP files and achieve arbitrary code execution on vulnerable ImpressCMS servers, potentially leading to complete server compromise.

Affected Products

ImpressCMS version 1.4.4
ImpressCMS installations with default file upload configurations
Web servers configured to execute alternative PHP file extensions

Discovery Timeline

2026-01-13 - CVE-2022-50912 published to NVD
2026-01-13 - Last updated in NVD database

Technical Details for CVE-2022-50912

Vulnerability Analysis

The vulnerability exists in ImpressCMS 1.4.4's file upload handling mechanism, which fails to adequately validate and restrict file extensions during the upload process. While the application may block standard .php file extensions, the sanitization logic does not account for alternative PHP file extensions that Apache and other web servers may be configured to interpret as executable PHP code.

Attackers can exploit this weakness by crafting file uploads with extensions like .php2, .php6, .php7, .phps, or .pht. When these files are uploaded to the server and subsequently accessed via HTTP, the web server processes them as PHP scripts, executing any malicious code contained within.

This vulnerability is particularly dangerous because it requires no authentication to exploit via network access. The attack can be performed remotely with low complexity, and successful exploitation grants attackers the ability to execute arbitrary commands with the privileges of the web server process.

Root Cause

The root cause of CVE-2022-50912 lies in insufficient file extension validation within the ImpressCMS upload handler. The application implements a blocklist-based approach to file type validation that only checks for common executable extensions like .php, while failing to account for less common but equally dangerous PHP-executable extensions.

This represents a classic example of incomplete input validation, where the defensive mechanism relies on a known-bad list rather than implementing a more secure allowlist approach that explicitly permits only safe file types.

Attack Vector

The attack vector for this vulnerability is network-based, requiring no user interaction or prior authentication. An attacker can exploit this vulnerability through the following general approach:

Identify an ImpressCMS 1.4.4 installation with file upload functionality
Create a malicious PHP payload (e.g., web shell or reverse shell)
Rename the payload file with an alternative PHP extension that bypasses validation
Upload the file through the vulnerable file upload mechanism
Navigate to the uploaded file's URL to trigger PHP code execution
Achieve arbitrary command execution on the target server

For detailed technical implementation and proof-of-concept code, refer to the Exploit-DB #50890 entry and the VulnCheck Advisory on ImpressCMS.

Detection Methods for CVE-2022-50912

Indicators of Compromise

Presence of files with unusual PHP extensions (.php2, .php6, .php7, .phps, .pht) in upload directories
Web server access logs showing requests to files with alternative PHP extensions
Unexpected PHP files in ImpressCMS upload folders that were not uploaded by administrators
Web shell signatures or suspicious PHP code in uploaded files

Detection Strategies

Implement file integrity monitoring on ImpressCMS upload directories to detect unauthorized file additions
Configure web application firewalls (WAF) to inspect file upload requests for dangerous content types
Review web server access logs for requests targeting files with alternative PHP extensions
Deploy endpoint detection solutions to identify web shell activity and suspicious process execution from web server contexts

Monitoring Recommendations

Enable detailed logging for all file upload operations within ImpressCMS
Monitor for unusual outbound network connections originating from the web server process
Set up alerts for new file creations in upload directories, particularly those with executable extensions
Regularly audit uploaded files for malicious content using antivirus and file analysis tools

How to Mitigate CVE-2022-50912

Immediate Actions Required

Upgrade ImpressCMS to the latest available version that addresses this vulnerability
Review and remove any suspicious files with alternative PHP extensions from upload directories
Implement server-side file type validation using allowlists rather than blocklists
Consider restricting file upload functionality until patches can be applied

Patch Information

Organizations running ImpressCMS 1.4.4 should consult the ImpressCMS Official Website and the GitHub ImpressCMS Repository for security updates and patch information. It is recommended to upgrade to the latest stable release that addresses this file upload vulnerability.

Workarounds

Configure the web server to prevent execution of PHP code from files with alternative extensions (.php2, .php6, .php7, .phps, .pht)
Implement strict allowlist-based file type validation at the application level, permitting only explicitly safe file types
Store uploaded files outside the web root or in directories where script execution is disabled
Use .htaccess or server configuration to deny execution of any files in upload directories

bash

# Apache configuration to disable PHP execution in upload directories
# Add to .htaccess in the upload directory or server configuration
<FilesMatch "\.(php|php2|php3|php4|php5|php6|php7|phps|pht|phtml)$">
    Require all denied
</FilesMatch>

# Alternative: Disable all script handlers in upload directory
<Directory "/var/www/html/impresscms/uploads">
    php_admin_flag engine off
    RemoveHandler .php .phtml .php2 .php3 .php4 .php5 .php6 .php7 .phps .pht
</Directory>

CVE-2022-50912 Overview

Critical Impact
Successful exploitation allows remote attackers to upload malicious PHP files and achieve arbitrary code execution on vulnerable ImpressCMS servers, potentially leading to complete server compromise.

Affected Products

ImpressCMS version 1.4.4
ImpressCMS installations with default file upload configurations
Web servers configured to execute alternative PHP file extensions

Discovery Timeline

2026-01-13 - CVE-2022-50912 published to NVD
2026-01-13 - Last updated in NVD database

Technical Details for CVE-2022-50912

Vulnerability Analysis

Root Cause

Attack Vector

The attack vector for this vulnerability is network-based, requiring no user interaction or prior authentication. An attacker can exploit this vulnerability through the following general approach:

Identify an ImpressCMS 1.4.4 installation with file upload functionality
Create a malicious PHP payload (e.g., web shell or reverse shell)
Rename the payload file with an alternative PHP extension that bypasses validation
Upload the file through the vulnerable file upload mechanism
Navigate to the uploaded file's URL to trigger PHP code execution
Achieve arbitrary command execution on the target server

For detailed technical implementation and proof-of-concept code, refer to the Exploit-DB #50890 entry and the VulnCheck Advisory on ImpressCMS.

Detection Methods for CVE-2022-50912

Indicators of Compromise

Presence of files with unusual PHP extensions (.php2, .php6, .php7, .phps, .pht) in upload directories
Web server access logs showing requests to files with alternative PHP extensions
Unexpected PHP files in ImpressCMS upload folders that were not uploaded by administrators
Web shell signatures or suspicious PHP code in uploaded files

Detection Strategies

Implement file integrity monitoring on ImpressCMS upload directories to detect unauthorized file additions
Configure web application firewalls (WAF) to inspect file upload requests for dangerous content types
Review web server access logs for requests targeting files with alternative PHP extensions
Deploy endpoint detection solutions to identify web shell activity and suspicious process execution from web server contexts

Monitoring Recommendations

Enable detailed logging for all file upload operations within ImpressCMS
Monitor for unusual outbound network connections originating from the web server process
Set up alerts for new file creations in upload directories, particularly those with executable extensions
Regularly audit uploaded files for malicious content using antivirus and file analysis tools

How to Mitigate CVE-2022-50912

Immediate Actions Required

Upgrade ImpressCMS to the latest available version that addresses this vulnerability
Review and remove any suspicious files with alternative PHP extensions from upload directories
Implement server-side file type validation using allowlists rather than blocklists
Consider restricting file upload functionality until patches can be applied

Patch Information

Workarounds

Configure the web server to prevent execution of PHP code from files with alternative extensions (.php2, .php6, .php7, .phps, .pht)
Implement strict allowlist-based file type validation at the application level, permitting only explicitly safe file types
Store uploaded files outside the web root or in directories where script execution is disabled
Use .htaccess or server configuration to deny execution of any files in upload directories

bash

# Apache configuration to disable PHP execution in upload directories
# Add to .htaccess in the upload directory or server configuration
<FilesMatch "\.(php|php2|php3|php4|php5|php6|php7|phps|pht|phtml)$">
    Require all denied
</FilesMatch>

# Alternative: Disable all script handlers in upload directory
<Directory "/var/www/html/impresscms/uploads">
    php_admin_flag engine off
    RemoveHandler .php .phtml .php2 .php3 .php4 .php5 .php6 .php7 .phps .pht
</Directory>

CVE-2022-50912: ImpressCMS File Upload RCE Vulnerability

CVE-2022-50912 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2022-50912

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2022-50912

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2022-50912

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2022-50912: ImpressCMS File Upload RCE Vulnerability

CVE-2022-50912 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2022-50912

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2022-50912

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2022-50912

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform