Skip to main content
CVE Vulnerability Database

CVE-2025-8913: Wellchoose Portal System RCE Vulnerability

CVE-2025-8913 is a remote code execution vulnerability in Wellchoose Organization Portal System caused by local file inclusion. Unauthenticated attackers can exploit this to run arbitrary code on servers. This article covers technical details, affected versions, impact assessment, and mitigation strategies.

Updated:

CVE-2025-8913 Overview

CVE-2025-8913 is a Local File Inclusion (LFI) vulnerability in the WellChoose Organization Portal System. The flaw allows unauthenticated remote attackers to include and execute arbitrary files on the affected server, resulting in arbitrary code execution. The weakness is tracked under CWE-98, Improper Control of Filename for Include/Require Statement in PHP Program (PHP Remote File Inclusion). The vulnerability requires no authentication, no user interaction, and is exploitable over the network.

Critical Impact

Unauthenticated remote attackers can execute arbitrary code on servers running the WellChoose Organization Portal System, leading to full system compromise.

Affected Products

  • WellChoose Organization Portal System (cpe:2.3:a:wellchoose:organization_portal_system)
  • All versions prior to the vendor-supplied patch
  • Deployments exposed to untrusted networks are at highest risk

Discovery Timeline

  • 2025-08-13 - CVE-2025-8913 published to the National Vulnerability Database (NVD)
  • 2025-08-21 - Last updated in NVD database

Technical Details for CVE-2025-8913

Vulnerability Analysis

The WellChoose Organization Portal System fails to properly validate user-supplied input passed to a PHP include or require statement. Attackers can manipulate file path parameters in HTTP requests to load arbitrary files from the server filesystem. When the included file contains attacker-controlled PHP code, the server executes it within the application context.

Because the issue is classified under CWE-98, the underlying primitive can extend beyond traditional file disclosure. Attackers may chain the LFI with log poisoning, session files, or upload endpoints to achieve reliable remote code execution. The EPSS data reports a probability of 0.773% for exploitation in the wild within 30 days.

Root Cause

The root cause is improper neutralization of input used in a PHP file inclusion directive. The application accepts a filename or path parameter from an HTTP request and passes it directly to include, require, include_once, or require_once without enforcing an allow-list of permitted files. No path canonicalization or restriction to a safe base directory is applied.

Attack Vector

The attack vector is network-based and requires no authentication. An attacker sends a crafted HTTP request to a vulnerable endpoint with a manipulated path parameter pointing to a local resource containing PHP code. Once interpreted by the server, the payload executes with the privileges of the web server process. Refer to the TWCERT Security Advisory and the TWCERT Incident Report for vendor-coordinated details.

No public proof-of-concept exploit code has been verified for this CVE. Defenders should treat the vulnerability as practically exploitable given the simplicity of LFI primitives in PHP applications.

Detection Methods for CVE-2025-8913

Indicators of Compromise

  • HTTP requests containing path traversal sequences such as ../, ..\, or URL-encoded variants (%2e%2e%2f) targeting portal endpoints
  • Requests referencing sensitive local files such as /etc/passwd, PHP session files in /tmp, or web server log paths
  • Unexpected outbound connections or shell processes spawned by the web server account
  • New or modified .php files in upload, cache, or temporary directories

Detection Strategies

  • Inspect web server and application logs for parameters containing filesystem paths, null bytes (%00), or PHP wrappers like php://filter and php://input
  • Correlate web access logs with process telemetry to identify shell or interpreter execution chained to web server requests
  • Deploy WAF signatures targeting LFI patterns against URIs handled by the Organization Portal System

Monitoring Recommendations

  • Forward web server access logs, PHP error logs, and host process telemetry to a central analytics platform for correlation
  • Alert on PHP-FPM or Apache processes spawning shells (sh, bash, cmd.exe) or network utilities (curl, wget, nc)
  • Monitor file integrity on the web root and writable directories used by the portal application

How to Mitigate CVE-2025-8913

Immediate Actions Required

  • Apply the vendor patch referenced in the TWCERT Security Advisory as soon as it is available for your deployment
  • Restrict network access to the Organization Portal System to trusted users and management networks until patching completes
  • Audit web server and application logs for indicators of prior exploitation, including suspicious path parameters and new files in the web root

Patch Information

WellChoose has coordinated remediation through TWCERT. Administrators should consult the TWCERT Security Advisory and the TWCERT Incident Report for the fixed version and upgrade instructions. Apply the update across all instances, including staging and disaster recovery environments.

Workarounds

  • Place the application behind a web application firewall configured to block LFI patterns, path traversal sequences, and PHP stream wrappers
  • Configure PHP open_basedir to restrict file inclusion to the application directory and disable allow_url_include
  • Run the web server under a least-privileged service account with no write access to the web root
bash
# Example PHP hardening in php.ini
allow_url_include = Off
allow_url_fopen = Off
open_basedir = "/var/www/portal:/tmp"
disable_functions = "exec,passthru,shell_exec,system,proc_open,popen"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.