CVE-2025-0473
📋 TL;DR
This vulnerability in the PMB platform allows attackers to persist temporary files on the server by intercepting and preventing the cleanup request after file uploads. It affects PMB versions 4.0.10 and above, potentially enabling file-based attacks like webshell deployment or data exfiltration.
💻 Affected Systems
- PMB (PhpMyBibli)
📦 What is this software?
Pmb by Sigb
⚠️ Risk & Real-World Impact
Worst Case
Attackers could upload malicious files (webshells, malware) that persist on the server, leading to remote code execution, data theft, or complete system compromise.
Likely Case
Attackers upload webshells or backdoors to maintain persistent access, potentially leading to data exfiltration or lateral movement within the network.
If Mitigated
With proper file upload restrictions and monitoring, impact is limited to temporary file storage consumption without execution capabilities.
🎯 Exploit Status
Exploitation requires access to the import functionality and ability to intercept/modify HTTP requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched version
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-pmb-platform
Restart Required: No
Instructions:
1. Check the vendor advisory for patched version. 2. Backup your PMB installation. 3. Update to the patched version. 4. Verify the fix by testing the import functionality.
🔧 Temporary Workarounds
Disable Import Endpoint
allTemporarily disable access to the vulnerable import endpoint
# Add to .htaccess or web server config:
RewriteRule ^pmb/authorities/import/iimport_authorities$ - [F]
Restrict File Upload Types
allConfigure web server to block suspicious file uploads
# In web server config, restrict uploads to specific MIME types
# Example for Apache: SetEnvIf Request_URI "^/pmb/authorities/import/" block_uploads
🧯 If You Can't Patch
- Implement strict file upload validation and sanitization
- Monitor file system for unexpected temporary files and implement automated cleanup
🔍 How to Verify
Check if Vulnerable:
Test if temporary files persist after uploading via /pmb/authorities/import/iimport_authorities without the follow-up POST requestCheck Version:
Check PMB version in admin interface or via version.php fileVerify Fix Applied:
After patching, verify that temporary files are properly cleaned up regardless of request interception📡 Detection & Monitoring
Log Indicators:
- Multiple failed import attempts
- Unusual file upload patterns to import endpoint
- Temporary files persisting beyond normal lifecycle
Network Indicators:
- HTTP requests to import endpoint without follow-up POST
- Unusual file upload traffic patterns
SIEM Query:
source="web_server" AND (uri="/pmb/authorities/import/iimport_authorities" AND method="POST") | stats count by src_ip