CVE-2025-34111 – This vulnerability allows unauthenticated remot... (How to Fix)

Q: What is the severity of CVE-2025-34111?

CVE-2025-34111 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated remote attackers to upload arbitrary files, including malicious PHP scripts, to Tiki Wiki CMS Groupware servers via the ELFinder component. Successful exploitation leads to remote code execution with web server privileges. All Tiki Wiki installations running version 15.1 or earlier with the default ELFinder configuration are affected.

📋 TL;DR

This vulnerability allows unauthenticated remote attackers to upload arbitrary files, including malicious PHP scripts, to Tiki Wiki CMS Groupware servers via the ELFinder component. Successful exploitation leads to remote code execution with web server privileges. All Tiki Wiki installations running version 15.1 or earlier with the default ELFinder configuration are affected.

💻 Affected Systems

Products:

Tiki Wiki CMS Groupware

Versions: 15.1 and earlier

Operating Systems: All operating systems running Tiki Wiki

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default ELFinder connector (connector.minimal.php) which is included in standard installations.

📦 What is this software?

Tikiwiki Cms\/groupware by Tiki

View all CVEs affecting Tikiwiki Cms\/groupware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise allowing attackers to execute arbitrary commands, steal data, install backdoors, pivot to internal networks, and maintain persistent access.

🟠

Likely Case

Web shell deployment leading to data exfiltration, website defacement, cryptocurrency mining, or ransomware deployment.

🟢

If Mitigated

Attackers can upload files but cannot execute them due to proper file type restrictions or web server configuration.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Metasploit module and public exploit code are available, making exploitation trivial for attackers with basic skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Tiki 15.2, 14.4, and 12.9

Vendor Advisory: https://tiki.org/article434-Security-update-Tiki-15-2-Tiki-14-4-and-Tiki-12-9-released

Restart Required: No

Instructions:

1. Backup your Tiki installation and database. 2. Download the patched version (15.2, 14.4, or 12.9) from tiki.org. 3. Replace all files with the patched version. 4. Run the Tiki installer to update the database if needed. 5. Verify the patch by checking the version in admin panel.

🔧 Temporary Workarounds

Disable ELFinder connector

linux

Remove or rename the vulnerable connector.minimal.php file to prevent file uploads via ELFinder

mv /path/to/tiki/vendor_extra/elfinder/connector.minimal.php /path/to/tiki/vendor_extra/elfinder/connector.minimal.php.disabled

Implement web server file type restrictions

all

Configure web server to block execution of uploaded PHP files in the ELFinder directory

<FilesMatch "\.php$">
    Deny from all
</FilesMatch>

🧯 If You Can't Patch

Implement strict network access controls to limit access to Tiki Wiki administration interfaces
Deploy a web application firewall (WAF) with rules to block file uploads to the ELFinder endpoint

🔍 How to Verify

Check if Vulnerable:

Check if /vendor_extra/elfinder/connector.minimal.php exists and is accessible, and verify Tiki version is 15.1 or earlier

Check Version:

Check admin panel or view tiki_version.php file

Verify Fix Applied:

Confirm Tiki version is 15.2, 14.4, or 12.9, and test that file uploads to /vendor_extra/elfinder/ are properly restricted

📡 Detection & Monitoring

Log Indicators:

POST requests to /vendor_extra/elfinder/connector.minimal.php with file upload parameters
Unusual file creation in ELFinder upload directories
Web server errors related to PHP execution in upload directories

Network Indicators:

HTTP POST requests to ELFinder endpoint with PHP file uploads
Subsequent requests to uploaded PHP files in ELFinder directories

SIEM Query:

source="web_server_logs" AND (uri="/vendor_extra/elfinder/connector.minimal.php" AND method="POST" AND (user_agent CONTAINS "curl" OR user_agent CONTAINS "wget" OR user_agent CONTAINS "python"))

📊 Metadata

CVE ID: CVE-2025-34111

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-20

EPSS Score: 70.89% exploit probability (98.7th percentile)

Published: July 15, 2025

Last Updated: October 3, 2025

🔗 References

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/tikiwiki_upload_exec.rb Exploit,Third Party Advisory
https://tiki.org/article434-Security-update-Tiki-15-2-Tiki-14-4-and-Tiki-12-9-released Release Notes
https://www.exploit-db.com/exploits/40091 Exploit,Third Party Advisory,VDB Entry
https://www.vulncheck.com/advisories/tiki-wiki-el-finder-unauthenticated-file-upload-rce Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-34111, you might also want to check these: