PatchSiren

PatchSiren cyber security CVE debrief

CVE-2018-25409 Simpkh CVE debrief

SIM-PKH 2.4.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by submitting PHP code through the fupload parameter. Attackers can upload PHP files via the aksi_pengurus.php endpoint with module=pengurus and act=update parameters, which are stored in the foto directory and executed as web scripts.

Vendor
Simpkh
Product
SIM-PKH
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-30
Original CVE updated
2026-05-30
Advisory published
2026-05-30
Advisory updated
2026-05-30

Who should care

Organizations running SIM-PKH 2.4.1 web applications, particularly those exposing the administrative interface with file upload capabilities. Security teams should prioritize this vulnerability due to the potential for authenticated remote code execution.

Technical summary

CVE-2018-25409 is an arbitrary file upload vulnerability in SIM-PKH 2.4.1. An authenticated attacker can upload malicious PHP files through the fupload parameter to the aksi_pengurus.php endpoint (with module=pengurus and act=update parameters). The uploaded files are stored in the foto directory and can be executed as web scripts, leading to remote code execution. The vulnerability has a CVSS 4.0 score of 8.7 (HIGH severity) and requires authenticated access.

Defensive priority

HIGH

Recommended defensive actions

  • Restrict or disable file upload functionality on the aksi_pengurus.php endpoint until a patch is available
  • Implement strict server-side validation of file types, extensions, and MIME types for uploads to the foto directory
  • Configure the web server to prevent execution of PHP files in the foto directory (e.g., using .htaccess or directory-level configuration)
  • Require strong authentication and apply principle of least privilege for accounts with upload access
  • Monitor for unauthorized file uploads and unexpected PHP file execution in the foto directory
  • Review and apply any security updates from the SIM-PKH project when available

Evidence notes

The vulnerability was disclosed with a CVSS 4.0 score of 8.7 (HIGH severity). The weakness is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). The affected endpoint is aksi_pengurus.php with module=pengurus and act=update parameters, using the fupload parameter for file submission. Uploaded files are stored in the foto directory and can be executed as PHP web scripts. Authentication is required (PR:L per CVSS vector). The vendor is currently identified as Unknown Vendor with low confidence based on reference domain candidate evidence from Exploit Db, and requires review.

Official resources

2026-05-30