HIGH 8.8

CVE-2018-25388: HaPe PKH 1.1 Arbitrary File Upload Vulnerability (CVSS 8.8)

HaPe PKH 1.1 has a file upload security flaw that lets authenticated users upload and execute malicious files on servers running the software. An attacker with valid login credentials can bypass the application's file type checks and upload PHP scripts through several administrative interfaces, leading to arbitrary code execution. This is a post-authentication vulnerability, meaning the attacker must already have system access, but once inside, they can take full control of the affected server.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-434
Affected products
0 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

HaPe PKH 1.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by bypassing file type validation. Attackers can upload PHP files through multiple endpoints including aksi_foto.php, aksi_user.php, and aksi_kecamatan.php to execute arbitrary code on the server.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2018-25388 is an authenticated arbitrary file upload vulnerability in HaPe PKH 1.1 stemming from insufficient file type validation (CWE-434). The vulnerability exists across multiple upload endpoints: aksi_foto.php, aksi_user.php, and aksi_kecamatan.php. Attackers can craft requests that bypass content-type and extension checks to upload PHP files, which the web server will execute with the privileges of the application. The lack of proper file type verification, likely reliant on client-side validation or easily-spoofed MIME-type headers, enables remote code execution once authentication is achieved.

Business impact

Successful exploitation grants an authenticated attacker complete remote code execution on the affected server, allowing them to read sensitive data, modify application logic, deploy malware, establish persistence, or pivot to other systems on the network. In multi-tenant or shared hosting environments, this could lead to lateral movement. Organizations relying on HaPe PKH 1.1 for administrative functions face risk to confidentiality, integrity, and availability of their data and services. The severity is amplified if administrative accounts are compromised or if user credentials are weak or shared.

Affected systems

This vulnerability affects HaPe PKH version 1.1. The vendor_products array in the source data is empty, indicating either that the product identifier was not formally registered in the CVE record or that the vendor has not publicly claimed it. Organizations should verify whether they are running HaPe PKH 1.1 or later versions by checking application version strings and consulting vendor advisories to determine which versions remain affected.

Exploitability

The CVSS 3.1 score of 8.8 (HIGH) reflects a network-exploitable vulnerability requiring valid authentication (PR:L), no user interaction, and high impact across confidentiality, integrity, and availability. Exploitability is moderate—an attacker needs valid credentials but no special privileges. The file upload interface is typically accessible to authenticated administrative or user roles, making the barrier to exploitation low for insider threats or account compromise scenarios. No public exploit code or active exploitation data is available in known exploit databases at this time.

Remediation

Organizations using HaPe PKH 1.1 should prioritize upgrading to the latest patched version available from the vendor. Verify the exact version available and any breaking changes before deployment. Pending patching, implement compensating controls: restrict file upload functionality to trusted administrative users only, disable PHP execution in upload directories via web server configuration (.htaccess or nginx rules), and enforce strict file type validation on both client and server sides using whitelisting (not blacklisting). Monitor upload logs for suspicious activity.

Patch guidance

Contact the HaPe PKH vendor or check their official advisory channels for available patches. Given the published date of May 2026 and modification date of June 2026, patch releases may have already been issued. Verify the current version by checking the application's version information under administration settings or in the application files. Test patches in a non-production environment before rolling out to ensure compatibility with your deployment. If no vendor patch is available, escalate the matter to the vendor with a report of this CVE.

Detection guidance

Monitor for suspicious file uploads to the vulnerable endpoints (aksi_foto.php, aksi_user.php, aksi_kecamatan.php), especially uploads with PHP extensions or double extensions (e.g., file.php.jpg). Review web server access logs for POST requests to these endpoints from authenticated users, correlating with unusual process execution (php process spawning unusual child processes). Check upload directories for recently-created PHP files or files with mismatched MIME types. Implement file integrity monitoring on the upload directories. Enable verbose logging on authentication events to detect compromised accounts.

Why prioritize this

This vulnerability merits immediate attention because it enables unauthenticated remote code execution via a post-authentication bypass, affecting all three CIA pillars. The CVSS score of 8.8 reflects high severity. While authentication is required, the barrier is low; compromised user accounts, insider threats, or weak credential management significantly increase risk. HaPe PKH 1.1 appears to be legacy software with limited visibility in public databases, suggesting it may be deployed in smaller or regional deployments where patching cycles are slower.

Risk score, explained

The CVSS 3.1 score of 8.8 (HIGH severity, vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects network accessibility (AV:N), low attack complexity (AC:L), low privilege requirement (PR:L), no user interaction needed (UI:N), and unrestricted scope with complete impact to confidentiality, integrity, and availability (C:H/I:H/A:H). The primary limiting factor is the requirement for authentication; however, this does not substantially reduce risk in environments where credentials are frequently compromised or reused.

Frequently asked questions

Does this vulnerability require administrative privileges to exploit?

No. The vulnerability is exploitable by any authenticated user with access to the file upload endpoints. This typically includes normal users or low-privileged administrative roles, not just system administrators.

What file types can be uploaded to bypass validation?

The vulnerability specifically allows PHP files to be uploaded by bypassing file type validation. Attack payloads would be written in PHP to execute on the server. Other executable types (JSP, ASP, etc.) may also be exploitable depending on server configuration.

Is HaPe PKH 1.1 actively maintained?

The source data does not indicate maintenance status. Contact the vendor directly to determine support status, available patches, and end-of-life timelines.

Can this be exploited over HTTPS?

Yes. The network vector (AV:N) includes both HTTP and HTTPS protocols. Encryption in transit does not protect against this vulnerability; the flaw is in the application logic, not the transport layer.

This analysis is provided for informational purposes and represents an original interpretation of the published CVE record. The vendor_products field in the CVE source was empty; organizations should verify product applicability independently. Patch version numbers, specific vendor advisories, and detailed technical documentation should be obtained directly from the software vendor. This page does not provide exploit code, weaponized proof-of-concept details, or active exploitation statistics. Organizations should conduct their own risk assessment based on their specific deployment, user base, and threat model. References to web server configuration (htaccess, nginx) assume standard environments; your specific setup may differ. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).