Skip to main content
CVE Vulnerability Database

CVE-2025-6872: Simple Company Website RCE Vulnerability

CVE-2025-6872 is a critical remote code execution vulnerability in Oretnom23 Simple Company Website 1.0 caused by unrestricted file upload. This article covers technical details, affected versions, security impact, and mitigation.

Published:

CVE-2025-6872 Overview

CVE-2025-6872 is an unrestricted file upload vulnerability in SourceCodester Simple Company Website 1.0, developed by oretnom23. The flaw resides in /classes/SystemSettings.php?f=update_settings, where the img parameter accepts attacker-controlled file content without proper validation. An authenticated remote attacker can abuse this endpoint to upload arbitrary files to the web server. The issue is classified under [CWE-284: Improper Access Control] and has been publicly disclosed with a proof-of-concept available on GitHub.

Critical Impact

Authenticated attackers can upload arbitrary files through the img parameter, potentially planting web shells or malicious content on the hosting server.

Affected Products

  • SourceCodester Simple Company Website 1.0
  • Vendor: oretnom23
  • Component: /classes/SystemSettings.php (update_settings function)

Discovery Timeline

  • 2025-06-29 - CVE-2025-6872 published to the National Vulnerability Database (NVD)
  • 2026-04-29 - Last updated in NVD database

Technical Details for CVE-2025-6872

Vulnerability Analysis

The vulnerability exists in the settings update workflow of Simple Company Website 1.0. The update_settings action in SystemSettings.php accepts an img argument that is processed as a file upload. The handler does not enforce server-side restrictions on file type, extension, MIME type, or content. As a result, an attacker who can reach the settings endpoint can submit files outside the intended image scope.

Because the upload destination resides under the web root, files written through this path are reachable through normal HTTP requests. An attacker can upload a PHP payload and request it directly, achieving server-side code execution within the privileges of the web server process. The exploit has been disclosed publicly, increasing the likelihood of opportunistic abuse against exposed instances.

Root Cause

The root cause is improper access control combined with missing input validation on the file upload routine. The application trusts the supplied img argument and writes the content to disk without verifying file type, magic bytes, or extension. This is consistent with [CWE-284] and aligns with the broader class of unrestricted upload weaknesses tracked by MITRE.

Attack Vector

The attack vector is network-based and requires high privileges, indicating the attacker must hold an authenticated session with access to the system settings page. After authentication, the attacker issues a crafted POST request to /classes/SystemSettings.php?f=update_settings and provides a malicious payload through the img field. The uploaded file is then served by the web server when requested by URL. Technical details and reproduction steps are documented in the GitHub PoC Issue #28 and the VulDB entry #314344.

Detection Methods for CVE-2025-6872

Indicators of Compromise

  • Unexpected files with executable extensions such as .php, .phtml, or .phar written to upload or settings directories used by Simple Company Website.
  • HTTP POST requests targeting /classes/SystemSettings.php?f=update_settings with multipart payloads where the img field contains non-image content.
  • Outbound connections initiated by the PHP process to previously unseen external hosts after a settings update.

Detection Strategies

  • Inspect web server access logs for repeated requests to update_settings followed by direct GET requests to newly created files in the upload directory.
  • Enable file integrity monitoring on the application's web root to flag the creation of script files where only static assets are expected.
  • Apply web application firewall rules that validate Content-Type and inspect uploaded file content for PHP tags or executable signatures.

Monitoring Recommendations

  • Forward web server access logs and PHP error logs to a centralized logging platform for correlation against upload activity.
  • Alert on any process spawned by the web server user that is not part of the expected application execution profile.
  • Track administrative authentication events and correlate them with subsequent settings modifications.

How to Mitigate CVE-2025-6872

Immediate Actions Required

  • Restrict access to the administrative settings interface through network controls or IP allowlisting until a fix is applied.
  • Rotate administrator credentials to invalidate any sessions that may have been compromised.
  • Audit the application's upload directory for unauthorized files and remove any suspicious artifacts.

Patch Information

No official vendor patch is referenced in the available advisories. Operators should monitor the SourceCodester Security Resources and the VulDB advisory for updates. Until a fix is published, organizations using Simple Company Website 1.0 should treat the application as exposed and apply compensating controls.

Workarounds

  • Disable the update_settings functionality in /classes/SystemSettings.php if it is not required for production operation.
  • Configure the web server to deny execution of script files within the upload directory using directives such as Apache php_admin_flag engine off or equivalent Nginx location rules.
  • Implement server-side validation that enforces an allowlist of image MIME types and verifies file magic bytes before persisting uploads.
  • Place the application behind a web application firewall configured to block uploads containing PHP tags or executable signatures.
bash
# Example Apache configuration to prevent PHP execution in upload directories
<Directory "/var/www/simple_company_website/uploads">
    php_admin_flag engine off
    AddType text/plain .php .phtml .php3 .php4 .php5 .phar
    Options -ExecCGI
</Directory>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.