CVE-2025-14641 – CVE-2025-14641 is an unrestricted file upload v... (How to Fix)

Q: What is the severity of CVE-2025-14641?

CVE-2025-14641 has a CVSS score of 4.7 (MEDIUM). CVE-2025-14641 is an unrestricted file upload vulnerability in Computer Laboratory System 1.0's admin/admin_pic.php file. Attackers can remotely upload malicious files by manipulating the 'image' parameter, potentially leading to server compromise. This affects all installations of Computer Laboratory System 1.0 with the vulnerable component exposed.

📋 TL;DR

CVE-2025-14641 is an unrestricted file upload vulnerability in Computer Laboratory System 1.0's admin/admin_pic.php file. Attackers can remotely upload malicious files by manipulating the 'image' parameter, potentially leading to server compromise. This affects all installations of Computer Laboratory System 1.0 with the vulnerable component exposed.

💻 Affected Systems

Products:

Computer Laboratory System

Versions: 1.0

Operating Systems: All platforms running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires admin_pic.php to be accessible, which is part of the default installation.

📦 What is this software?

Computer Laboratory System by Carmelo

View all CVEs affecting Computer Laboratory System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete server takeover, data theft, or ransomware deployment.

🟠

Likely Case

Webshell upload enabling persistent backdoor access, data exfiltration, or lateral movement within the network.

🟢

If Mitigated

Uploaded files remain isolated without execution privileges, limiting impact to storage consumption.

🌐 Internet-Facing: HIGH - Remote exploitation with published exploit increases attack surface significantly.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit if they have network access to the system.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details published on GitHub, making trivial exploitation possible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Consider workarounds or system replacement.

🔧 Temporary Workarounds

File Upload Restriction

all

Implement server-side validation to restrict uploaded file types to images only.

# Add to admin_pic.php: validate file extension and MIME type
# Example: if(!in_array($file_ext, ['jpg','png','gif'])) { die('Invalid file'); }

Access Control

all

Restrict access to admin_pic.php via web server configuration or authentication.

# Apache: <Location /admin/admin_pic.php> Require valid-user </Location>
# Nginx: location ~ /admin/admin_pic.php { auth_basic 'Restricted'; }

🧯 If You Can't Patch

Remove or rename admin/admin_pic.php file from the web directory
Implement WAF rules to block requests containing suspicious file upload patterns

🔍 How to Verify

Check if Vulnerable:

Attempt to upload a non-image file (e.g., test.php) to admin/admin_pic.php and check if it's accepted.

Check Version:

Check system documentation or configuration files for version information

Verify Fix Applied:

Test that only image files are accepted and uploaded files cannot be executed as code.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to admin_pic.php
POST requests with non-image file extensions
Files with executable extensions in upload directories

Network Indicators:

HTTP POST requests to /admin/admin_pic.php with file uploads
Subsequent requests to uploaded files with suspicious extensions

SIEM Query:

source="web_logs" AND uri="/admin/admin_pic.php" AND method="POST" AND (file_extension="php" OR file_extension="exe" OR file_extension="sh")

📊 Metadata

CVE ID: CVE-2025-14641

CVSS v3 Score: 4.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-284

EPSS Score: 0.05% exploit probability (16th percentile)

Published: December 14, 2025

Last Updated: December 16, 2025

🔗 References

https://code-projects.org/ Product
https://github.com/Yohane-Mashiro/cve/blob/main/upload%203.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.336374 Permissions Required,VDB Entry
https://vuldb.com/?id.336374 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.707865 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14641, you might also want to check these: