CVE-2025-34111

CRITICAL

Tiki Wiki CMS Groupware < 15.1 - Unauthenticated Arbitrary File Upload via ELFinder Connector

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-34111. PoCs published by Mehmet Ince, Mehmet Ince <[email protected]>, including Metasploit module exploits/unix/webapp/tikiwiki_upload_exec.

AI-analyzed exploit summary This Metasploit module exploits an unauthenticated file upload vulnerability in Tiki Wiki <= 15.1 via the ELFinder component, allowing arbitrary PHP code execution. It uploads a malicious PHP file and triggers it to achieve remote code execution.

Description

An unauthenticated arbitrary file upload vulnerability exists in Tiki Wiki CMS Groupware version 15.1 and earlier via the ELFinder component's default connector (connector.minimal.php), which allows remote attackers to upload and execute malicious PHP scripts in the context of the web server. The vulnerable component does not enforce file type validation, allowing attackers to craft a POST request to upload executable PHP payloads through the ELFinder interface exposed at /vendor_extra/elfinder/.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Mehmet Ince · rubywebappsphp

https://www.exploit-db.com/exploits/40091

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated file upload vulnerability in Tiki Wiki <= 15.1 via the ELFinder component, allowing arbitrary PHP code execution. It uploads a malicious PHP file and triggers it to achieve remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Tiki Wiki <= 15.1

No auth needed

Prerequisites: Network access to the target Tiki Wiki instance · ELFinder component accessible at the default path

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1204 - User Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Mehmet Ince <[email protected]> · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/tikiwiki_upload_exec.rb

View Code ZIP pw:eip

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Tiki Wiki <= 15.1

No auth needed

Prerequisites: Target running Tiki Wiki <= 15.1 with exposed ELFinder component

MITRE ATT&CK

T1105 - Ingress Tool Transfer T1204 - User Execution T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Release Notes vendor-advisory patch

https://tiki.org/article434-Security-update-Tiki-15-2-Tiki-14-4-and-Tiki-12-9-released

Exploit, Third Party Advisory, VDB Entry exploit

https://www.exploit-db.com/exploits/40091

Exploit, Third Party Advisory exploit

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/tikiwiki_upload_exec.rb

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/tiki-wiki-el-finder-unauthenticated-file-upload-rce

Scores

CVSS v3 9.8

EPSS 0.0152

EPSS Percentile 71.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-306 CWE-20 CWE-434

Status published

Products (2)

tiki/tikiwiki_cms\/groupware < 15.1

Tiki Software Community Association/Wiki CMS Groupware < 15.1

Published Jul 15, 2025

Tracked Since Feb 18, 2026