{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/phreebooks/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["phreebooks","file-upload","rce"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePhreeBooks ERP version 5.2.3 contains a critical arbitrary file upload vulnerability within its Image Manager component. This vulnerability allows authenticated attackers to bypass security restrictions and upload malicious files to the server. By crafting specific requests to the image upload endpoint, threat actors can inject PHP files. The successful exploitation of this vulnerability allows for arbitrary code execution on the underlying system, potentially leading to full system compromise. This issue was reported and assigned CVE-2019-25630. Successful exploitation requires authentication, limiting the scope of easily exploitable targets. However, the impact of successful exploitation is severe, allowing for complete control of the affected PhreeBooks ERP instance.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the PhreeBooks ERP 5.2.3 application.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the Image Manager component.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request to the \u003ccode\u003ebizuno/image/manager\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes the \u003ccode\u003eimgFile\u003c/code\u003e parameter containing a PHP file disguised as an image (e.g., using a double extension like \u003ccode\u003eevil.php.jpg\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe server saves the uploaded file to a publicly accessible directory.\u003c/li\u003e\n\u003cli\u003eThe attacker then accesses the uploaded PHP file via a direct HTTP request to \u003ccode\u003e/bizunoFS.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ebizunoFS.php\u003c/code\u003e script executes the malicious PHP code.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote code execution on the server, enabling further malicious activities like data exfiltration or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary code on the PhreeBooks ERP server. This can lead to complete compromise of the server, including data exfiltration, modification of financial records, and denial of service. While the number of affected installations is unknown, the potential impact on compromised systems is significant due to the sensitive data typically managed by ERP systems. Organizations using PhreeBooks ERP 5.2.3 are vulnerable to complete data loss, financial fraud, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or upgrade to a secure version of PhreeBooks ERP to remediate CVE-2019-25630.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003ePhreebooks Image Upload\u003c/code\u003e to detect suspicious requests to the \u003ccode\u003ebizuno/image/manager\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for access to PHP files within the image upload directories, as this can be a sign of successful exploitation via \u003ccode\u003ebizunoFS.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement input validation on the server side to prevent uploading files with dangerous extensions like \u003ccode\u003e.php\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T12:16:03Z","date_published":"2026-03-24T12:16:03Z","id":"/briefs/2026-03-phreebooks-file-upload/","summary":"PhreeBooks ERP 5.2.3 is vulnerable to arbitrary file upload in the Image Manager component, allowing authenticated attackers to upload malicious PHP files leading to remote code execution.","title":"PhreeBooks ERP 5.2.3 Arbitrary File Upload Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-phreebooks-file-upload/"}],"language":"en","title":"CraftedSignal Threat Feed — Phreebooks","version":"https://jsonfeed.org/version/1.1"}