CVE-2009-2025

DM FileManager 3.9.2 - Unauthenticated Authentication Bypass via Cookie Manipulation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-2025. PoCs published by ThE g0bL!N.

AI-analyzed exploit summary This exploit demonstrates an insecure cookie handling vulnerability in DM FileManager 3.9.2, allowing an attacker to bypass authentication by setting arbitrary cookie values to gain administrative access.

Description

admin/login.php in DM FileManager 3.9.2 allows remote attackers to bypass authentication and gain administrative access by setting the (1) USER, (2) GROUPID, (3) GROUP, and (4) USERID cookies to certain values.

Exploits (1)

exploitdb WORKING POC VERIFIED

by ThE g0bL!N · textwebappsphp

https://www.exploit-db.com/exploits/8903

View Code ZIP pw:eip

This exploit demonstrates an insecure cookie handling vulnerability in DM FileManager 3.9.2, allowing an attacker to bypass authentication by setting arbitrary cookie values to gain administrative access.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: DM FileManager 3.9.2

No auth needed

Prerequisites: Access to the target application's login page · Ability to execute JavaScript in the victim's browser

MITRE ATT&CK

T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/35167

Vendor Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2009/1532

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/8903

Scores

EPSS 0.0261

EPSS Percentile 83.4%

Details

CWE

CWE-264

Status published

Products (1)

dutchmonkey/dm_filemanager 3.9.2

Published Jun 09, 2009

Tracked Since Feb 18, 2026