A critical remote code execution vulnerability in FileThingie 2.5.7 allows attackers to compromise the host server by uploading malicious PHP scripts disguised as ZIP archives.

This vulnerability involves an arbitrary file upload flaw in the ft2.php endpoint. An unauthenticated or low-privileged attacker can upload a ZIP archive containing a PHP shell and use the application's built-in unzip functionality to extract and execute the payload in a web-accessible directory.

A successful exploit leads to full Remote Code Execution (RCE) on the web server. This allows attackers to browse the file system, steal data, or use the server as a pivot point for internal network attacks. The CVSS score of 9.8 underscores the extreme risk associated with such an easily exploitable flaw.

Immediate Action: Upgrade FileThingie to the latest secure version or migrate to a modern, supported file management solution, as version 2.5.7 is severely outdated.

Proactive Monitoring: Scan web directories for unexpected PHP files, particularly in upload folders, and review web server logs for suspicious POST requests to ft2.php involving ZIP file uploads.

Compensating Controls: Disable PHP execution in upload directories using .htaccess or server configuration and implement strict file extension filtering at the gateway level.

Public Exploit Available: false

FileThingie 2.5.7 is a legacy application with a high-risk profile. Given the age of the software and the severity of the RCE vulnerability, the primary recommendation is to decommission the software or update it immediately to mitigate the risk of a full system takeover.