CVE-2025-52207
CRITICAL EXPLOITED NUCLEIMikoPBX <2024.1.114 - Code Injection
Title source: llmDescription
PBXCoreREST/Controllers/Files/PostController.php in MikoPBX through 2024.1.114 allows uploading a PHP script to an arbitrary directory.
Nuclei Templates (1)
MikoPBX - Unrestricted File Upload
CRITICALby darses
Shodan:
product:"mikopbx" || http.favicon.hash:8309143 || title:"MikoPBX"
FOFA:
icon_hash="8309143" || title="MikoPBX"
Scores
CVSS v3
9.9
EPSS
0.0967
EPSS Percentile
92.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
VulnCheck KEV
2025-11-26
CWE
CWE-23
Status
published
Products (1)
MIKO/MikoPBX
< 2024.1.114
Published
Jun 27, 2025
Tracked Since
Feb 18, 2026