CVE-2025-50857: Php Path Traversal — Critical — Patch Now

Overview

A critical security vulnerability has been identified in ZenTaoPMS, an open-source project management software. This flaw allows an unauthenticated attacker to upload malicious files to unauthorized locations on the server, potentially leading to a full system compromise.

Vulnerability Details

The vulnerability is a Directory Traversal (or Path Traversal) flaw located within the AI module’s control file (/module/ai/control.php). In affected versions, the software does not properly validate the file paths specified during a file upload. This failure allows an attacker to use crafted sequences (like ../) to break out of the intended upload directory.

By exploiting this, an attacker can upload a file, such as a web shell (a malicious script), to any writable directory on the server. Once this file is placed in a location accessible via the web, the attacker can execute arbitrary commands and code on the underlying server with the same permissions as the web server process.

Affected Versions: ZenTaoPMS v18.11 through v21.6.beta.

Potential Impact

The impact of this vulnerability is severe. Successful exploitation can lead to:

• Complete System Takeover: Attackers can execute any command on the server.
• Data Theft or Destruction: Sensitive company data, source code, and user information within the ZenTaoPMS database and server files are at risk.
• Website Defacement: Attackers can alter or replace website content.
• Launching Point for Further Attacks: The compromised server can be used to attack other internal systems in your network.

With a CVSS score of 9.8 (Critical), this vulnerability is considered highly dangerous due to the low attack complexity and the potential for full loss of confidentiality, integrity, and availability.

Remediation and Mitigation

Immediate action is required to protect affected systems.

Primary Remediation: The most effective action is to upgrade ZenTaoPMS immediately. Apply the latest official patch or version provided by the ZenTao team that addresses CVE-2025-50857. Check the official ZenTao website or repository for security updates.

Temporary Mitigation (If Patching is Delayed):

1. Restrict Access: If possible, restrict network access to the ZenTaoPMS instance (e.g., using a firewall) to only trusted IP addresses, such as your corporate network.
2. Disable the Module: Consider disabling the affected AI module if it is not in use. This may require modifying or removing the relevant code or configuration. Always test this in a non-production environment first.
3. Web Application Firewall (WAF): Deploy or configure a WAF to block requests containing directory traversal patterns (../, ..\, etc.) targeted at the vulnerable endpoint.

General Advice: Always run software with the minimum necessary system privileges and maintain a regular schedule for applying security updates to all software components.