A critical command injection vulnerability has been identified in the CodeIgniter PHP framework, assigned CVE-2025-54418 with a CVSS score of 9.8. This flaw exists in the ImageMagick processing handler and allows an unauthenticated remote attacker to execute arbitrary commands on the server. Successful exploitation could lead to a complete system compromise, enabling data theft, service disruption, and further attacks on the network.

This is a command injection vulnerability that occurs when an application uses the ImageMagick handler for image processing. The software fails to properly sanitize user-supplied input that is passed as arguments to the ImageMagick command-line tool. An attacker can exploit this by crafting a malicious request, such as uploading a specially named file or manipulating image processing parameters, which includes operating system commands. When the backend application processes the request, these embedded commands are executed on the server with the permissions of the web server user.

This vulnerability is rated as critical severity with a CVSS score of 9.8, indicating a high risk to the organization. Successful exploitation results in Remote Code Execution (RCE), giving an attacker full control over the affected web server. This could lead to severe consequences, including the theft of sensitive data such as customer information and intellectual property, website defacement, deployment of ransomware, or using the compromised server as a foothold to launch further attacks against the internal network. The potential for significant financial loss, reputational damage, and legal liabilities is extremely high.

Immediate Action: Immediately update all instances of CodeIgniter to version 4.6.2 or later to patch the vulnerability. After updating, it is crucial to monitor systems for any signs of exploitation attempts that may have occurred prior to patching. Review web server access logs and system logs for unusual activity related to image processing or unexpected command execution.

Proactive Monitoring: Implement enhanced monitoring to detect potential exploitation. Look for suspicious child processes being spawned by your web server process (e.g., sh, bash, curl, wget). Monitor for outbound network connections from the web server to unknown or malicious IP addresses. Analyze application logs for malformed image processing requests and error messages originating from the ImageMagick handler.

Compensating Controls: If immediate patching is not feasible, consider the following controls:

• Implement a Web Application Firewall (WAF) with rules specifically designed to detect and block command injection attack patterns.
• If possible within the application's configuration, temporarily switch the image processing handler from ImageMagick to a different library like GD.
• Enforce strict input validation on all parameters related to file uploads and image manipulation to filter out malicious characters.
• Run the web server with the lowest possible user privileges to limit the impact of a potential compromise.

Public Exploit Available: False

Due to the critical severity (CVSS 9.8) of this vulnerability, we strongly recommend that immediate action is taken. All applications using the CodeIgniter framework must be upgraded to version 4.6.2 or newer as the highest priority. The risk of full server compromise is severe, and organizations should not wait for evidence of active exploitation to act. If patching is delayed for any reason, apply the recommended compensating controls immediately and maintain a heightened state of monitoring until the patch can be deployed.