CVE-2018-25409

HIGH

SIM-PKH 2.4.1 - Arbitrary File Upload via aksi_pengurus.php

Title source: manual

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25409. PoCs published by Ihsan Sencan.

AI-analyzed exploit summary This exploit demonstrates an arbitrary file upload vulnerability in SIM-PKH 2.4.1, allowing attackers to upload malicious PHP files via a POST request to the 'aksi_pengurus.php' endpoint. The uploaded file is then accessible at a predictable path, leading to remote code execution.

Description

SIM-PKH 2.4.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by submitting PHP code through the fupload parameter. Attackers can upload PHP files via the aksi_pengurus.php endpoint with module=pengurus and act=update parameters, which are stored in the foto directory and executed as web scripts.

Exploits (1)

exploitdb WORKING POC

by Ihsan Sencan · textwebappsphp

https://www.exploit-db.com/exploits/45659

View Code ZIP pw:eip

This exploit demonstrates an arbitrary file upload vulnerability in SIM-PKH 2.4.1, allowing attackers to upload malicious PHP files via a POST request to the 'aksi_pengurus.php' endpoint. The uploaded file is then accessible at a predictable path, leading to remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: SIM-PKH 2.4.1

Auth required

Prerequisites: Access to the admin panel · Valid PHP session cookie

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 30, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit exploit

ExploitDB-45659

https://www.exploit-db.com/exploits/45659

Product product

Official Product Homepage

https://simpkh.sourceforge.io/

Product product

Product Reference

https://sourceforge.net/projects/simpkh/files/latest/download

Third Party Advisory third-party-advisory

VulnCheck Advisory: SIM-PKH 2.4.1 Arbitrary File Upload via aksi_pengurus.php

https://www.vulncheck.com/advisories/sim-pkh-arbitrary-file-upload-via-aksi-pengurus-php

Scores

CVSS v3 8.8

EPSS 0.0032

EPSS Percentile 24.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-434

Status published

Products (1)

Simpkh/SIM-PKH 2.4.1

Published May 30, 2026

Tracked Since May 30, 2026