{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/paymenter--1.2.11/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.9,"id":"CVE-2025-58048"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Paymenter (\u003c 1.2.11)"],"_cs_severities":["critical"],"_cs_tags":["remote-code-execution","web-application","php","critical-vulnerability","file-upload","webshell"],"_cs_type":"advisory","_cs_vendors":["Paymenter"],"content_html":"\u003cp\u003eA critical remote code execution (RCE) vulnerability, tracked as CVE-2025-58048, has been identified in Paymenter, a billing and client management software. This flaw specifically impacts the ticket attachments functionality, allowing a malicious authenticated user with low privileges to upload arbitrary files to the server. These files, when placed in a publicly accessible directory and subsequently executed due to improper web server configuration, grant attackers full control over the application and the underlying server. Exploitation enables malicious actors to extract sensitive data, including customer information from the database, read credentials from configuration files such as \u003ccode\u003e.env\u003c/code\u003e, and execute arbitrary system commands under the context of the web server user. The vulnerability is present in versions prior to v1.2.11 and was patched in commit \u003ccode\u003e87c3db42282ada1e3cda54b9a01f846926c0669b\u003c/code\u003e, released as v1.2.11.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated, low-privileged user logs into the Paymenter application and accesses the ticket attachments functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts and uploads a malicious file, such as a webshell (e.g., \u003ccode\u003eshell.php\u003c/code\u003e), masquerading it as a legitimate attachment.\u003c/li\u003e\n\u003cli\u003eThe Paymenter application processes the upload and stores the malicious file in a publicly accessible directory, typically \u003ccode\u003e/storage/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker then directly accesses the uploaded malicious file (e.g., \u003ccode\u003ehttps://[paymenter_domain]/storage/shell.php\u003c/code\u003e) via a web browser or automated tool.\u003c/li\u003e\n\u003cli\u003eDue to an insecure web server configuration (e.g., Nginx serving \u003ccode\u003e/storage/\u003c/code\u003e files without forcing a download), the server executes the malicious file instead of serving it as static content.\u003c/li\u003e\n\u003cli\u003eThe executed webshell grants the attacker Remote Code Execution (RCE) capabilities under the web server's user context.\u003c/li\u003e\n\u003cli\u003eLeveraging RCE, the attacker extracts sensitive data from the database, reads credentials from configuration files (e.g., \u003ccode\u003e.env\u003c/code\u003e), or executes arbitrary system commands to further compromise the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability is deemed Critical as it allows a low-privilege authenticated user to fully compromise the Paymenter application and its underlying server. If exploited, attackers can gain unauthorized access to sensitive customer information stored in the database, pilfer critical credentials from \u003ccode\u003e.env\u003c/code\u003e or other configuration files, and execute arbitrary system commands. This level of access permits complete control over the affected system, enabling data exfiltration, further lateral movement, and potential disruption of services. While specific victim counts are not available, any Paymenter installation running a vulnerable version is at risk, particularly those that handle customer data and payments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2025-58048 immediately:\u003c/strong\u003e Upgrade Paymenter to version v1.2.11 or later as described in the patches section of this brief.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eApply Nginx mitigation:\u003c/strong\u003e If immediate upgrade is not possible, implement the provided Nginx configuration to force downloads for files in the \u003ccode\u003e/storage/\u003c/code\u003e directory, preventing their execution as described in the content section.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy WAF controls:\u003c/strong\u003e Utilize a Web Application Firewall (WAF) to disallow direct access to the \u003ccode\u003e/storage/\u003c/code\u003e directory, as mentioned in the workaround section, until the patch can be applied.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T11:08:47Z","date_published":"2026-07-03T11:08:47Z","id":"https://feed.craftedsignal.io/briefs/2026-07-paymenter-rce-file-upload/","summary":"A critical remote code execution (RCE) vulnerability, CVE-2025-58048, in Paymenter's ticket attachments functionality allows an authenticated, low-privileged user to upload arbitrary files, leading to full compromise of the application and underlying server, enabling attackers to extract sensitive data, read credentials, and execute arbitrary system commands.","title":"Paymenter vulnerable to Remote Code Execution via public file uploads","url":"https://feed.craftedsignal.io/briefs/2026-07-paymenter-rce-file-upload/"}],"language":"en","title":"CraftedSignal Threat Feed - Paymenter (\u003c 1.2.11)","version":"https://jsonfeed.org/version/1.1"}