Skip to main content
CVE Vulnerability Database

CVE-2025-6873: Simple Company Website RCE Vulnerability

CVE-2025-6873 is a critical remote code execution flaw in Oretnom23 Simple Company Website 1.0 caused by unrestricted file upload. This article covers the technical details, affected versions, and mitigation strategies.

Published:

CVE-2025-6873 Overview

CVE-2025-6873 is an unrestricted file upload vulnerability in SourceCodester Simple Company Website 1.0, developed by oretnom23. The flaw resides in the /classes/Users.php?f=save endpoint, where manipulation of the img parameter allows attackers to upload arbitrary files. The issue is classified under [CWE-284] Improper Access Control. The exploit has been publicly disclosed, increasing the likelihood of opportunistic abuse against exposed installations. Although the CVSS 4.0 base score is low due to required privileges, successful exploitation can place attacker-controlled content on the server.

Critical Impact

Authenticated attackers can upload arbitrary files remotely through the img parameter, potentially leading to webshell placement and follow-on compromise of the hosting environment.

Affected Products

  • SourceCodester Simple Company Website 1.0
  • oretnom23 simple_company_website 1.0
  • CPE: cpe:2.3:a:oretnom23:simple_company_website:1.0:*:*:*:*:*:*:*

Discovery Timeline

  • 2025-06-29 - CVE-2025-6873 published to the National Vulnerability Database (NVD)
  • 2026-04-29 - Last updated in NVD database

Technical Details for CVE-2025-6873

Vulnerability Analysis

The vulnerability affects the file save handler exposed at /classes/Users.php?f=save. The handler processes the img parameter without enforcing restrictions on file type, extension, or content. An authenticated user can submit a crafted multipart request that places an attacker-controlled file into a server-accessible directory.

Because the upload routine does not validate MIME type, magic bytes, or extension against an allow list, the attacker can substitute executable server-side content such as PHP scripts for the expected image. Once written under the web root, the file can be requested directly to trigger execution within the application's runtime context.

The attack vector is network-based and can be initiated remotely. The vulnerability requires authenticated access, which limits its exposure, but credentials in this application are frequently weak or default in test deployments. The public proof of concept lowers the technical barrier for exploitation.

Root Cause

The root cause is improper access control combined with missing input validation on file upload metadata. The save action in Users.php trusts the client-supplied img field and writes it to disk without verifying that the user is authorized to upload arbitrary content and without restricting the file type written to the filesystem.

Attack Vector

An attacker authenticated to the application sends an HTTP POST request to /classes/Users.php?f=save containing a multipart payload where the img field references a server-side script. After upload, the attacker requests the stored file URL to execute the payload. Public exploitation steps are documented in the GitHub PoC Issue and tracked at VulDB #314345.

No verified exploit code reproduced here. See the public proof of concept for technical specifics:
https://github.com/ez-lbz/poc/issues/29

Detection Methods for CVE-2025-6873

Indicators of Compromise

  • POST requests to /classes/Users.php?f=save containing non-image content in the img parameter
  • New files with executable server-side extensions (.php, .phtml, .phar) in user upload directories
  • Subsequent GET requests to recently uploaded files in image storage paths followed by unusual outbound traffic

Detection Strategies

  • Inspect web server access logs for Users.php?f=save activity correlated with unusual user agents or session IDs
  • Apply web application firewall (WAF) rules that validate uploaded file signatures against declared MIME types
  • Hash and compare files in upload directories against an approved baseline to identify unauthorized additions

Monitoring Recommendations

  • Enable file integrity monitoring on the application's image upload directory
  • Forward HTTP access and PHP error logs to a centralized analytics platform for correlation
  • Alert on execution of PHP processes spawned from paths intended to store static media

How to Mitigate CVE-2025-6873

Immediate Actions Required

  • Restrict network access to the Simple Company Website administrative interfaces until a fix is applied
  • Audit existing upload directories for unauthorized files and remove any non-image content
  • Rotate credentials for all accounts with access to the user management interface
  • Disable PHP execution in directories used to store uploaded media

Patch Information

No vendor patch has been published at the time of writing. SourceCodester resources are listed at the SourceCodester Security Resource. Operators should monitor the VulDB CTI #314345 entry for fix announcements.

Workarounds

  • Add server-side validation that rejects files whose content does not match an allow list of image MIME types and magic bytes
  • Store uploads outside the web root and serve them through a controlled handler that sets a static Content-Type
  • Enforce least-privilege authentication so that only trusted administrators reach Users.php?f=save
bash
# Example Apache configuration to disable PHP execution in the uploads directory
<Directory "/var/www/simple_company_website/uploads">
    php_admin_flag engine off
    RemoveHandler .php .phtml .phar
    AddType text/plain .php .phtml .phar
    Options -ExecCGI
</Directory>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.