CVE-2025-46001

CVE-2025-46001 is an arbitrary file upload vulnerability in the Simogeo Filemanager version 2.3.0, specifically in the is_allowed_file_type() function. The function fails to properly restrict file extensions, allowing a crafted PHP file to be uploaded as a valid file type [1]. This flaw enables an attacker to bypass intended security controls and upload executable server-side code.

Attackers can exploit this vulnerability without authentication by directly uploading a PHP webshell through the file upload feature. The lack of proper validation in the is_allowed_file_type() function means that even when extension checks are enforced, the logic can be circumvented [4]. The vulnerability is also extendable via a rename-based bypass, where an attacker uploads a file with a safe extension (e.g., .png) and then renames it to .php using the rename functionality, which lacks separate extension validation [4].

Successful exploitation allows an attacker to execute arbitrary PHP code on the server, leading to full remote code execution (RCE). This can result in complete compromise of the web application and underlying server, including data theft, defacement, or further lateral movement [4].

The Filemanager project has been deprecated and is no longer maintained [1]. The vulnerability is patched in version 2.4.0, but users are advised to migrate to the RichFileManager fork [1][4]. No official fix is available for the deprecated 2.3.0 release, so immediate upgrade or migration is strongly recommended.