CVE-2025-58048: Paymenter Remote Code Execution via Unrestricted File Upload
Detects exploitation of CVE-2025-58048, a critical unrestricted file upload vulnerability (CWE-434) in Paymenter versions prior to 1.2.11. Attackers can upload malicious files (e.g., PHP webshells) through publicly accessible upload endpoints, achieving remote code execution on the server. CVSS 9.9 with public PoC available.
Vulnerability Intelligence
Public PoCAffected Software
- Vendor
- composer
- Product
- paymenter/paymenter
- Versions
- < 1.2.11
Weakness (CWE)
Timeline
- Disclosed
- June 22, 2026
References & Proof of Concept
- PoChttps://github.com/advisories/GHSA-5pm9-r2m8-rcmj
- https://github.com/Paymenter/Paymenter/security/advisories/GHSA-5pm9-r2m8-rcmj
- https://nvd.nist.gov/vuln/detail/CVE-2025-58048
- https://github.com/Paymenter/Paymenter/commit/87c3db42282ada1e3cda54b9a01f846926c0669b
- https://github.com/Paymenter/Paymenter/releases/tag/v1.2.11
What is CVE-2025-58048 CVE-2025-58048: Paymenter Remote Code Execution via Unrestricted File Upload?
CVE-2025-58048: Paymenter Remote Code Execution via Unrestricted File Upload (CVE-2025-58048) maps to the Initial Access and Execution and Persistence and Impact tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for CVE-2025-58048: Paymenter Remote Code Execution via Unrestricted File Upload, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
- Tactic
- Initial Access Execution Persistence Impact
let suspiciousExtensions = dynamic(['.php', '.php3', '.php4', '.php5', '.phtml', '.phar', '.asp', '.aspx', '.jsp', '.py', '.rb', '.pl', '.sh', '.bash', '.cgi']);
let uploadPaths = dynamic(['/upload', '/uploads', '/files', '/public/uploads', '/storage/app/public']);
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (80, 443, 8080, 8443)
| join kind=inner (
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ('FileCreated', 'FileModified')
| where FolderPath has_any (uploadPaths)
| where FileName has_any (suspiciousExtensions)
| project DeviceId, FileCreationTime=Timestamp, FileName, FolderPath, InitiatingProcessName, InitiatingProcessCommandLine
) on DeviceId
| where abs(datetime_diff('second', Timestamp, FileCreationTime)) < 60
| extend RiskIndicator = case(
FileName endswith '.php' or FileName endswith '.phtml', 'PHP webshell upload',
FileName endswith '.jsp', 'JSP webshell upload',
FileName endswith '.sh' or FileName endswith '.bash', 'Shell script upload',
'Suspicious executable upload'
)
| project Timestamp, DeviceId, DeviceName, RemoteIP, RemotePort, FileName, FolderPath, InitiatingProcessName, InitiatingProcessCommandLine, RiskIndicator
| order by Timestamp descDetects suspicious file uploads to Paymenter public storage directories with executable extensions that could indicate CVE-2025-58048 exploitation. Correlates network connections with file creation events near upload paths.
Data Sources
Required Tables
False Positives
- Legitimate PHP plugin or theme uploads by administrators through authorized CMS interfaces
- Automated deployment pipelines writing PHP files to web directories
- Backup restoration processes creating PHP files in web-accessible directories
- Development environments where developers legitimately upload script files
Sigma rule & cross-platform mapping
The detection logic for CVE-2025-58048: Paymenter Remote Code Execution via Unrestricted File Upload (CVE-2025-58048) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: network_connection
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2025-58048
References (5)
- https://github.com/Paymenter/Paymenter/security/advisories/GHSA-5pm9-r2m8-rcmj
- https://nvd.nist.gov/vuln/detail/CVE-2025-58048
- https://github.com/Paymenter/Paymenter/commit/87c3db42282ada1e3cda54b9a01f846926c0669b
- https://github.com/Paymenter/Paymenter/releases/tag/v1.2.11
- https://github.com/advisories/GHSA-5pm9-r2m8-rcmj
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Upload PHP Webshell to Paymenter Public Storage
Expected signal: Web server logs showing POST to /upload with multipart/form-data containing .php file; file creation event in storage/app/public directory; HTTP 200/201 response code
- Test 2Execute Commands via Uploaded Webshell
Expected signal: GET requests to storage/app/public/*.php path; PHP process spawning id, uname, whoami child processes; outbound network connection from PHP/web server process to attacker IP
- Test 3Bypass MIME Type Restriction via Content-Type Spoofing
Expected signal: Web server logs showing POST uploads with mismatched Content-Type and file extension; file creation events with double extensions or PHP extensions in upload directories; magic byte mismatch in uploaded files
Unlock Pro Content
Get the full detection package for CVE-2025-58048 including response playbook, investigation guide, and atomic red team tests.