A critical remote code execution (RCE) vulnerability, identified as CVE-2025-66802, has been discovered in multiple Sourcecodester products. This flaw allows an attacker to upload a malicious file disguised as an image, enabling them to take complete control of the affected server. Successful exploitation could lead to total system compromise, data theft, and further intrusions into the network.

This vulnerability is an unrestricted file upload that leads to remote code execution. The application contains an image upload function that fails to properly validate the content of uploaded files. An attacker can craft a malicious script (e.g., a PHP web shell) and save it with an image file extension (e.g., .jpg, .png). When the attacker uploads this file, the system saves it to a web-accessible directory without verifying that it is a legitimate image. The attacker can then access the uploaded file via its URL, causing the web server to execute the embedded code and granting the attacker full control over the server with the permissions of the web service account.

This vulnerability is rated as critical severity with a CVSS score of 9.8, posing a significant threat to the organization. A successful exploit would result in a complete compromise of the web server, allowing an attacker to steal, encrypt, or delete sensitive data, including any personally identifiable information (PII) handled by the application. The attacker could also disrupt business operations by defacing the website, installing malware such as ransomware, or using the compromised server as a pivot point to launch further attacks against the internal network. The potential consequences include severe financial loss, reputational damage, and regulatory penalties.

Immediate Action: The primary remediation is to apply vendor-supplied patches immediately. Update all affected Sourcecodester products to the latest version as recommended by the vendor. In parallel, begin actively monitoring for signs of exploitation by reviewing web server and application access logs for any suspicious file upload activity.

Proactive Monitoring:

• Log Analysis: Scrutinize web server access logs for POST requests to file upload endpoints followed by GET requests to non-standard files in image directories (e.g., files with .php extensions).
• Network Traffic: Monitor for anomalous outbound connections from the web server, as this could indicate a reverse shell connection established by an attacker.
• File Integrity Monitoring (FIM): Implement FIM on web directories to alert on the creation of new, unexpected executable files (e.g., .php, .phtml, .sh).

Compensating Controls: If immediate patching is not feasible, implement the following controls to mitigate risk:

• Use a Web Application Firewall (WAF) with rules designed to inspect and block malicious file uploads.
• Modify server configuration to prevent script execution in directories where user-uploaded files are stored.
• Implement a robust file validation process that verifies file types based on content (magic bytes) rather than just file extensions.
• Store all user-uploaded files outside of the web root directory to prevent direct URL access and execution.

Public Exploit Available: False

Due to the critical CVSS score of 9.8, this vulnerability represents an immediate and severe risk to the organization. An attacker can achieve a full system compromise with low-complexity, making this an attractive target. We strongly recommend that all affected Sourcecodester products be patched immediately, treating this as the highest priority remediation effort. Although this vulnerability is not currently listed on the CISA KEV catalog, its critical impact makes it a likely candidate for future inclusion. If patching cannot be performed immediately, the compensating controls outlined above must be implemented without delay to reduce the attack surface.