CVE-2018-25409: SIM-PKH 2.4.1 Arbitrary File Upload Leading to Remote Code Execution
SIM-PKH version 2.4.1 contains a file upload vulnerability that allows authenticated users to upload and execute malicious PHP code on the server. An attacker with valid credentials can exploit the file upload functionality to place executable scripts in a web-accessible directory, leading to complete compromise of the affected system. This is a post-authentication attack, meaning the attacker must first obtain legitimate access to the application.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-434
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-30 / 2026-06-17
NVD description (verbatim)
SIM-PKH 2.4.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by submitting PHP code through the fupload parameter. Attackers can upload PHP files via the aksi_pengurus.php endpoint with module=pengurus and act=update parameters, which are stored in the foto directory and executed as web scripts.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2018-25409 is an arbitrary file upload vulnerability in SIM-PKH 2.4.1 affecting the aksi_pengurus.php endpoint. The vulnerability exists because the application fails to properly validate file uploads submitted through the fupload parameter when module=pengurus and act=update parameters are set. Uploaded files are stored directly in the foto directory without adequate type checking or sanitization. An authenticated attacker can upload PHP files that are then executed by the web server with the privileges of the application process, resulting in remote code execution (RCE). The vulnerability maps to CWE-434 (Unrestricted Upload of File with Dangerous Type).
Business impact
Successful exploitation allows an authenticated attacker to execute arbitrary code on the web server, leading to complete system compromise. This enables attackers to steal sensitive data, modify application functionality, deploy malware or backdoors, or use the compromised server as a pivot point for lateral movement within the network. Organizations running SIM-PKH 2.4.1 in production environments face significant operational and data security risk, particularly if the application handles sensitive business or user information.
Affected systems
SIM-PKH version 2.4.1 is affected. Organizations should inventory systems running this version, with particular attention to internet-facing or otherwise accessible instances. Verify whether your deployment includes the vulnerable aksi_pengurus.php endpoint and whether it is accessible to authenticated users. No vendor patch information is currently referenced; contact the SIM-PKH vendor or project maintainers for remediation guidance and available updates.
Exploitability
The vulnerability requires valid authentication credentials, which limits its initial attack surface compared to unauthenticated exploits. However, the network attack vector combined with low complexity makes exploitation straightforward for any authenticated user. No special conditions or user interaction are required once access is obtained. The attack is reliable and deterministic. Insider threats or compromised credentials pose the most immediate risk vector; external attackers would need to first breach authentication.
Remediation
Organizations should immediately upgrade SIM-PKH to a patched version released by the vendor. If an update is not yet available, implement compensating controls: restrict access to the aksi_pengurus.php endpoint at the network or application level, disable file upload functionality if not essential, enforce strict file type validation, configure the web server to prevent PHP execution in the foto directory (via .htaccess, nginx configuration, or similar), and implement robust authentication controls and monitoring. Verify that the foto directory and its contents have appropriate file system permissions.
Patch guidance
Contact the SIM-PKH vendor or project maintainers to obtain the latest patched version addressing this vulnerability. Verify the specific version number against the vendor's security advisory before deployment. Test patches in a non-production environment before rolling out to production systems. If a patch is not yet available, apply the compensating controls listed in the remediation section and establish a timeline with the vendor for an official fix. Monitor the vendor's security communications for updates.
Detection guidance
Monitor HTTP POST requests to aksi_pengurus.php with parameters module=pengurus and act=update; flag requests containing file uploads or suspicious parameter values. Inspect the foto directory for recently created or modified PHP files, particularly those with unusual names or timestamps corresponding to suspected compromise periods. Review web server access and error logs for execution of PHP scripts from the foto directory. Implement file integrity monitoring on this directory. Check for unusual process spawning or outbound connections initiated from the web server process around times of suspicious uploads. Log all file uploads including user, timestamp, filename, and content type for forensic review.
Why prioritize this
This vulnerability merits immediate attention despite requiring authentication, due to its HIGH CVSS score (8.8) and the severity of potential impact—remote code execution with full system compromise. Authenticated attacks are realistic vectors, especially given insider threats, credential compromise through phishing or data breaches, and weak authentication implementations. The simplicity of exploitation and wide availability of exploitation tools for such vulnerabilities means this should be treated with high priority in patch management workflows.
Risk score, explained
The CVSS 3.1 score of 8.8 (HIGH) reflects: Network attack vector (AV:N) allowing remote exploitation, Low attack complexity (AC:L) requiring no special conditions, authentication requirement (PR:L) reducing but not eliminating risk, no user interaction needed (UI:N), and high impact across confidentiality, integrity, and availability (C:H/I:H/A:H). The score appropriately captures the severity of unauthenticated remote code execution; however, the authentication prerequisite should inform your risk assessment alongside organizational access controls and credential hygiene.
Frequently asked questions
Can this vulnerability be exploited by unauthenticated attackers?
No. The vulnerability requires valid authentication credentials to access the vulnerable endpoint and upload malicious files. However, compromised credentials, insider threats, or weak authentication mechanisms can lower the practical barrier to exploitation. Organizations should assume that any authenticated user (or attacker with compromised credentials) can potentially exploit this flaw.
What happens if a PHP file is uploaded via this vulnerability?
The uploaded PHP file is stored in the foto directory and becomes executable by the web server. When accessed via HTTP, the web server executes the PHP code with the privileges of the application process. This grants the attacker complete remote code execution, allowing them to read files, modify data, install backdoors, exfiltrate information, or launch further attacks.
Are there any vendor patches or workarounds?
No vendor patch version is currently referenced in available data. Contact the SIM-PKH vendor or project maintainers directly for patch status and availability. In the interim, implement compensating controls such as restricting endpoint access, disabling PHP execution in the foto directory via web server configuration, enforcing strict file type validation, and enhancing authentication and monitoring.
How should we prioritize this vulnerability in our patch management process?
This should be treated as HIGH priority. Despite the authentication requirement, the potential for remote code execution and full system compromise warrants urgent attention. Factor in your organization's exposure (which systems run SIM-PKH 2.4.1 and are they internet-facing), credential security posture, and the availability of vendor patches or workarounds when scheduling remediation.
This analysis is provided for informational purposes to support security assessments and patch management. The information herein is current as of the published date; vulnerability details, patch availability, and vendor advisories may change. Organizations should verify all referenced version numbers, patch versions, and remediation steps against official vendor documentation and security advisories before implementation. SEC.co makes no warranties regarding the completeness or accuracy of this analysis and recommends independent verification by qualified security professionals. Always test patches and security changes in a non-production environment before deploying to production systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25388HIGHHaPe PKH 1.1 Arbitrary File Upload Vulnerability (CVSS 8.8)
- CVE-2026-10072HIGHDreamMaker Arbitrary File Upload RCE Vulnerability
- CVE-2026-30761HIGHSourceBans Material Admin Arbitrary File Upload RCE Vulnerability
- CVE-2026-39292HIGHPHPPageBuilder Remote Code Execution via Unrestricted File Upload
- CVE-2026-10172MEDIUMBdtask Multi-Store Inventory 1.0 Unrestricted File Upload Vulnerability
- CVE-2026-10205MEDIUMUnrestricted File Upload in Metasoft MetaCRM 6.4.0 – Exploit Details & Remediation
- CVE-2026-10806MEDIUMUnrestricted File Upload in mjperpinosa stumasy
- CVE-2026-10807MEDIUMUnrestricted File Upload in mjperpinosa stumasy Profile Image Handler