{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/sim-pkh/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2018-25409"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["SIM-PKH"],"_cs_severities":["critical"],"_cs_tags":["cve","file-upload","remote-code-execution","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eSIM-PKH 2.4.1 is vulnerable to an arbitrary file upload vulnerability (CVE-2018-25409). Authenticated attackers can exploit this vulnerability by uploading malicious PHP files through the \u003ccode\u003efupload\u003c/code\u003e parameter. The vulnerability exists within the \u003ccode\u003eaksi_pengurus.php\u003c/code\u003e endpoint, specifically when processing requests with \u003ccode\u003emodule=pengurus\u003c/code\u003e and \u003ccode\u003eact=update\u003c/code\u003e parameters. Successful exploitation allows attackers to store PHP files in the \u003ccode\u003efoto\u003c/code\u003e directory, which are then executed as web scripts, potentially leading to remote code execution on the server. This poses a significant risk to organizations using the vulnerable software, as it could lead to complete compromise of the system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the SIM-PKH application.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious PHP file containing shell commands.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a POST request to \u003ccode\u003eaksi_pengurus.php\u003c/code\u003e with \u003ccode\u003emodule=pengurus\u003c/code\u003e and \u003ccode\u003eact=update\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the malicious PHP file in the \u003ccode\u003efupload\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe application saves the uploaded PHP file in the \u003ccode\u003efoto\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe attacker determines the path to the uploaded file within the \u003ccode\u003efoto\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP request to the uploaded PHP file.\u003c/li\u003e\n\u003cli\u003eThe server executes the PHP code, granting the attacker remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary code on the web server hosting SIM-PKH 2.4.1. This could lead to complete system compromise, including data theft, defacement of the website, or the deployment of further malicious payloads. The impact is significant due to the potential for unauthorized access and control of the affected system. There are no specific victim counts or sector information available from the provided source.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or upgrade to a secure version of SIM-PKH to remediate CVE-2018-25409.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect SIM-PKH Arbitrary File Upload (CVE-2018-25409)\u003c/code\u003e to detect malicious file uploads.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003eaksi_pengurus.php\u003c/code\u003e containing PHP code in the \u003ccode\u003efupload\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect SIM-PKH PHP File Execution in foto Directory (CVE-2018-25409)\u003c/code\u003e to detect access attempts to uploaded PHP files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-30T16:18:52Z","date_published":"2026-05-30T16:18:52Z","id":"https://feed.craftedsignal.io/briefs/2026-05-sim-pkh-file-upload/","summary":"SIM-PKH 2.4.1 contains an arbitrary file upload vulnerability (CVE-2018-25409) that allows authenticated attackers to upload malicious PHP files via the fupload parameter through the aksi_pengurus.php endpoint, leading to remote code execution.","title":"SIM-PKH 2.4.1 Arbitrary File Upload Vulnerability (CVE-2018-25409)","url":"https://feed.craftedsignal.io/briefs/2026-05-sim-pkh-file-upload/"}],"language":"en","title":"CraftedSignal Threat Feed — SIM-PKH","version":"https://jsonfeed.org/version/1.1"}