CVE-2019-25480 | THREATINT

Description

ARMBot contains an unrestricted file upload vulnerability in upload.php that allows unauthenticated attackers to upload arbitrary files by manipulating the file parameter with path traversal sequences. Attackers can upload PHP files with traversal payloads ../public_html/ to write executable code to the web root and achieve remote code execution.

PUBLISHED Reserved 2026-02-23 | Published 2026-03-11 | Updated 2026-03-11 | Assigner VulnCheck

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status

unaffected

affected

References

www.exploit-db.com/exploits/47209 (ExploitDB-47209) exploit

www.vulncheck.com/...unrestricted-file-upload-via-upload-php (VulnCheck Advisory: ARMBot Unrestricted File Upload via upload.php) third-party-advisory

cve.org (CVE-2019-25480)

nvd.nist.gov (CVE-2019-25480)

Download JSON