CVE-2025-48471 – FreeScout versions before 1.8.179 have an unres... (How to Fix)

Q: What is the severity of CVE-2025-48471?

CVE-2025-48471 has a CVSS score of 9.8 (CRITICAL). FreeScout versions before 1.8.179 have an unrestricted file upload vulnerability that allows attackers to upload malicious PHP files (.phtml, .phar extensions) to the web server. When Apache is used, this can lead to remote code execution, potentially giving attackers full control of the server. All FreeScout instances running vulnerable versions with Apache are affected.

📋 TL;DR

FreeScout versions before 1.8.179 have an unrestricted file upload vulnerability that allows attackers to upload malicious PHP files (.phtml, .phar extensions) to the web server. When Apache is used, this can lead to remote code execution, potentially giving attackers full control of the server. All FreeScout instances running vulnerable versions with Apache are affected.

💻 Affected Systems

Products:

FreeScout

Versions: All versions prior to 1.8.179

Operating Systems: Any OS running Apache web server

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Apache web server for exploitation. Other web servers may not execute .phtml/.phar files by default.

📦 What is this software?

Freescout by Freescout

View all CVEs affecting Freescout →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise with attacker gaining shell access, data exfiltration, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to web shell deployment, data theft, and potential ransomware deployment.

🟢

If Mitigated

File uploads blocked or properly validated, preventing malicious file execution.

🌐 Internet-Facing: HIGH - Internet-facing FreeScout instances are directly exploitable without authentication.

🏢 Internal Only: HIGH - Internal instances are still vulnerable to internal threats or compromised accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple file upload with malicious extension. Public exploit code exists in advisory references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.179

Vendor Advisory: https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-h2f3-932h-v38j

Restart Required: No

Instructions:

1. Backup your FreeScout instance and database. 2. Update to version 1.8.179 via git pull or manual download. 3. Run any database migrations if required. 4. Clear application cache.

🔧 Temporary Workarounds

Apache Configuration Restriction

linux

Configure Apache to not execute .phtml and .phar files

Add to .htaccess or Apache config: <FilesMatch "\.(phtml|phar)$">
    Deny from all
</FilesMatch>

Web Application Firewall Rule

all

Block uploads of .phtml and .phar files at WAF level

🧯 If You Can't Patch

Disable file upload functionality entirely in FreeScout configuration
Migrate to different web server that doesn't execute .phtml/.phar by default

🔍 How to Verify

Check if Vulnerable:

Check if version is below 1.8.179 and test uploading .phtml file (use harmless test file)

Check Version:

Check app/version.php or run: php artisan --version (if configured)

Verify Fix Applied:

Attempt to upload .phtml file - should be rejected. Verify version is 1.8.179 or higher.

📡 Detection & Monitoring

Log Indicators:

File uploads with .phtml or .phar extensions in web server logs
Unusual POST requests to upload endpoints
Execution of unexpected PHP files

Network Indicators:

POST requests with file uploads to FreeScout endpoints
Outbound connections from web server to suspicious IPs

SIEM Query:

source="apache_access" AND (uri_path="*upload*" OR uri_path="*.phtml" OR uri_path="*.phar")

📊 Metadata

CVE ID: CVE-2025-48471

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

EPSS Score: 1.1% exploit probability (77.7th percentile)

Published: May 29, 2025

Last Updated: June 10, 2025

🔗 References

https://github.com/freescout-help-desk/freescout/commit/e136660e8dbc220454b8d3f646dd1b144e49e9ed Patch
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-h2f3-932h-v38j Exploit,Vendor Advisory
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-h2f3-932h-v38j Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-48471, you might also want to check these: