CVE-2025-9847
📋 TL;DR
CVE-2025-9847 is an unrestricted file upload vulnerability in ScriptAndTools Real Estate Management System 1.0. Attackers can upload malicious files via the uimage parameter in register.php, potentially leading to remote code execution. This affects all installations of version 1.0 that have the vulnerable component enabled.
💻 Affected Systems
- ScriptAndTools Real Estate Management System
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.
Likely Case
Webshell deployment allowing persistent backdoor access, data exfiltration, and further exploitation of the server.
If Mitigated
File upload attempts blocked or sanitized, preventing malicious file execution while maintaining legitimate functionality.
🎯 Exploit Status
Exploit details are publicly available, making this relatively easy to exploit by attackers with basic skills.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch is available. Apply workarounds or consider replacing the software.
🔧 Temporary Workarounds
Restrict file uploads in register.php
PHPAdd server-side validation to restrict uploaded file types to images only and implement proper file extension filtering.
Modify register.php to include: $allowed_extensions = ['jpg', 'jpeg', 'png', 'gif']; $file_extension = strtolower(pathinfo($_FILES['uimage']['name'], PATHINFO_EXTENSION)); if (!in_array($file_extension, $allowed_extensions)) { die('Invalid file type'); }
Disable or restrict access to register.php
allIf user registration is not required, disable or remove the register.php file entirely.
mv register.php register.php.disabled
or add: Deny from all to .htaccess for register.php
🧯 If You Can't Patch
- Implement a Web Application Firewall (WAF) with rules to block malicious file uploads.
- Monitor file upload directories for suspicious files and implement file integrity monitoring.
🔍 How to Verify
Check if Vulnerable:
Attempt to upload a non-image file (e.g., .php, .exe) via the registration form's uimage field. If successful, the system is vulnerable.Check Version:
Check the software version in the admin panel or configuration files; look for version 1.0 indicators.Verify Fix Applied:
After applying workarounds, attempt the same upload test. The upload should be rejected or the file should not execute.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to register.php with non-image extensions
- Multiple failed upload attempts followed by a successful upload of a suspicious file
Network Indicators:
- HTTP POST requests to register.php with file uploads containing executable content
SIEM Query:
source="web_logs" AND uri="/register.php" AND method="POST" AND (file_extension="php" OR file_extension="exe" OR file_extension="sh")