CVE-2025-34100

CRITICAL LAB

BuilderEngine 3.5.0 - Code Injection

Title source: llm

Exploitation Summary

EIP tracks 4 public exploits for CVE-2025-34100. PoCs published by metanubix, hyeonyeonglee, RyanJohnJames, including Metasploit module exploits/multi/http/builderengine_upload_exec.

AI-analyzed exploit summary This exploit demonstrates an unauthenticated file upload vulnerability in BuilderEngine 3.5.0 via elFinder 2.0, allowing remote code execution by uploading a malicious PHP file. The provided HTML form automates the upload process to the vulnerable endpoint.

Description

An unrestricted file upload vulnerability exists in BuilderEngine 3.5.0 via the integration of the elFinder 2.0 file manager and its use of the jQuery File Upload plugin. The plugin fails to properly validate or restrict file types or locations during upload operations, allowing an attacker to upload a malicious .php file and subsequently execute arbitrary PHP code on the server under the context of the web server process. While the root vulnerability lies within the jQuery File Upload component, BuilderEngine’s improper integration and lack of access controls expose this functionality to unauthenticated users, resulting in full remote code execution.

Exploits (4)

exploitdb WORKING POC VERIFIED

by metanubix · phpwebappsphp

https://www.exploit-db.com/exploits/40390

View Code ZIP pw:eip

This exploit demonstrates an unauthenticated file upload vulnerability in BuilderEngine 3.5.0 via elFinder 2.0, allowing remote code execution by uploading a malicious PHP file. The provided HTML form automates the upload process to the vulnerable endpoint.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: BuilderEngine 3.5.0

No auth needed

Prerequisites: Access to the vulnerable endpoint · Ability to send HTTP POST requests

MITRE ATT&CK

T1105 - Ingress Tool Transfer T1204 - User Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec STUB

by hyeonyeonglee · poc

https://github.com/hyeonyeonglee/CVE-2025-34100

View Code ZIP pw:eip

The repository contains PHP files for a CMS or e-commerce platform, but no exploit code or vulnerability details are present. The files appear to be structural or functional components of the application.

Classification

Stub 30%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: Unknown (possibly a CMS or e-commerce platform)

No auth needed

Prerequisites: None identified

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec STUB

by RyanJohnJames · poc

https://github.com/RyanJohnJames/CVE-2025-34100-demo

View Code ZIP pw:eip

This repository contains PHP files for a demo web server related to CVE-2025-34100 but does not include the actual exploit code. The files serve as an entry point to exploit the vulnerability, which is located in the CMS.

Classification

Stub 80%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: BiteInstall CMS (version not specified)

No auth needed

Prerequisites: Access to the web server · Correct IP address configuration in refund.php

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by metanubix, Marco Rivoli · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/builderengine_upload_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits an arbitrary file upload vulnerability in BuilderEngine 3.5.0 via elFinder 2.0, allowing remote code execution by uploading a malicious PHP file through the jquery-file-upload plugin.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: BuilderEngine 3.5.0

No auth needed

Prerequisites: Network access to the target web server · Vulnerable version of BuilderEngine (3.5.0) with exposed jquery-file-upload endpoint

MITRE ATT&CK

T1105 - Ingress Tool Transfer T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Various Sources exploit

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/builderengine_upload_exec.rb

Exploit, Third Party Advisory exploit

https://www.exploit-db.com/exploits/40390

Various Sources third-party-advisory

https://support.alertlogic.com/hc/en-us/articles/115004703183-BuilderEngine-Content-Management-System-CMS-elFinder-2-0-Arbitrary-File-Upload

Third Party Advisory third-party-advisory

https://vulncheck.com/advisories/builder-engine-unauthenticated-arbitrary-file-upload

Scores

CVSS v4 9.3

EPSS 0.0231

EPSS Percentile 81.2%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Lab Environment

COMMUNITY

Community Lab

docker pull mysql:5.7

https://github.com/RyanJohnJames/CVE-2025-34100-demo

https://github.com/hyeonyeonglee/CVE-2025-34100

https://github.com/rapid7/metasploit-framework

View in Library

Details

CWE

CWE-20 CWE-306 CWE-434

Status published

Products (1)

BuilderEngine/CMS 3.5.0

Published Jul 10, 2025

Tracked Since Feb 18, 2026