CVE-2019-25471

CRITICAL

FileThingie 2.5.7 - Arbitrary File Upload

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25471. PoCs published by cakes.

AI-analyzed exploit summary This exploit demonstrates an arbitrary file upload vulnerability in FileThingie 2.5.7, allowing an attacker to upload a malicious .zip archive containing a PHP shell, unzip it, and execute arbitrary commands on the target system.

Description

FileThingie 2.5.7 contains an arbitrary file upload vulnerability that allows attackers to upload malicious files by sending ZIP archives through the ft2.php endpoint. Attackers can upload ZIP files containing PHP shells, use the unzip functionality to extract them into accessible directories, and execute arbitrary commands through the extracted PHP files.

Exploits (1)

exploitdb WORKING POC VERIFIED
by cakes · textwebappsphp
https://www.exploit-db.com/exploits/47349

This exploit demonstrates an arbitrary file upload vulnerability in FileThingie 2.5.7, allowing an attacker to upload a malicious .zip archive containing a PHP shell, unzip it, and execute arbitrary commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: FileThingie 2.5.7
No auth needed
Prerequisites: Access to the FileThingie web interface
devstral-2 · analyzed Mar 12, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.0090
EPSS Percentile 55.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-22
Status published
Products (2)
filethingie/FileThingie 2.5.7
leefish/file_thingie < 2.5.7
Published Mar 11, 2026
Tracked Since Mar 12, 2026