CVE-2018-25409: SIM-PKH 2.4.1 Arbitrary File Upload via aksi_pengurus.php
SIM-PKH 2.4.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by submitting PHP code through the fupload parameter. Attackers can upload PHP files via the aksi_pengurus.php endpoint with module=pengurus and act=update parameters, which are stored in the foto directory and executed as web scripts.
Security readout for executives and security teams
Plain-English summary
SIM-PKH 2.4.1 lets a logged-in attacker upload a PHP file that the server can later run as a web script. That can turn a normal application account into full compromise of the application server, including data theft, data changes, and service disruption.
Executive priority
Prioritize this for rapid triage if SIM-PKH is in use. The vulnerability can enable server compromise after authentication, and public exploit material is referenced. If the product is not deployed, document non-exposure and close.
Technical view
The issue is CWE-434 arbitrary file upload in aksi_pengurus.php. The provided record says PHP content can be submitted through fupload with module=pengurus and act=update, stored under foto, and executed as web scripts. CVSS 3.1 is 8.8 with low complexity and low privileges required.
Likely exposure
Exposure is limited to SIM-PKH 2.4.1 deployments. Risk is highest where the application is internet-accessible and attacker-controlled or weakly protected authenticated accounts exist. The bundle does not identify other affected versions or CPEs.
Exploitation context
A public ExploitDB reference is cited, so exploit information is publicly available. The source bundle marks KEV as false and provides no evidence of active exploitation. Treat this as credible high risk, not confirmed in-the-wild exploitation.
Researcher notes
Evidence comes from the CVE record, VulnCheck advisory, product references, and ExploitDB listing. The bundle does not name a patch, vendor-fixed version, active exploitation, or affected versions beyond SIM-PKH 2.4.1. Avoid assuming broader product impact without additional vendor evidence.
Mitigation direction
Inventory SIM-PKH deployments and confirm whether version 2.4.1 is present.
Check the official project and advisory sources for a fixed release or vendor workaround.
Restrict SIM-PKH access to trusted networks and necessary authenticated users only.
Prevent script execution from the foto upload directory where server configuration allows it.
Review and reduce privileges for accounts able to update pengurus records.
Validation and detection
Confirm whether any exposed instance reports SIM-PKH 2.4.1.
Inspect web server configuration for PHP execution in the foto directory.
Review upload directories for unexpected PHP or executable web script files.
Audit application logs for suspicious pengurus update activity.
Verify whether remediation guidance exists from the official project or advisory source.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-434: File access and web shell behavior lookup
File traversal and upload weaknesses can lead teams to review file, web shell, execution, and collection telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references file access or upload behavior, so file telemetry and web shell review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
2CVSS vectors
3Timeline events
1ADP providers
5Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: noTechnical Impact: total
CVSS vector scores
2 official scores
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-434 · source CWE mapping
Unrestricted Upload of File with Dangerous Type
Unrestricted Upload of File with Dangerous Type represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.