Detect CVE-2025-58048: Paymenter Remote Code Execution via Unrestricted File Upload in Google Chronicle
Detects exploitation of CVE-2025-58048, a critical unrestricted file upload vulnerability (CWE-434) in Paymenter versions prior to 1.2.11. Attackers can upload malicious files (e.g., PHP webshells) through publicly accessible upload endpoints, achieving remote code execution on the server. CVSS 9.9 with public PoC available.
MITRE ATT&CK
- Tactic
- Initial Access Execution Persistence Impact
YARA-L Detection Query
rule cve_2025_58048_paymenter_rce_file_upload {
meta:
author = "df00tech Detection Engineering"
description = "Detects CVE-2025-58048 Paymenter unrestricted file upload RCE exploitation"
severity = "CRITICAL"
priority = "HIGH"
reference = "https://github.com/Paymenter/Paymenter/security/advisories/GHSA-5pm9-r2m8-rcmj"
cve = "CVE-2025-58048"
events:
$e1.metadata.event_type = "NETWORK_HTTP"
$e1.network.http.method = "POST"
(
$e1.network.http.target_url = /\/upload[s]?\// nocase or
$e1.network.http.target_url = /\/storage\/app\/public\// nocase or
$e1.network.http.target_url = /\/public\/files\// nocase
)
(
$e1.network.http.target_url = /\.(php|php3|php4|php5|phtml|phar|asp|aspx|jsp|sh|bash|py|pl|cgi)(\?|$|#)/ nocase or
$e1.target.file.full_path = /\.(php|php3|php4|php5|phtml|phar|asp|aspx|jsp|sh|bash|py|pl|cgi)$/ nocase
)
$e1.network.http.response_code >= 200
$e1.network.http.response_code < 300
$ip = $e1.principal.ip
match:
$ip over 10m
outcome:
$risk_score = max(95)
$upload_count = count($e1.metadata.id)
$target_url = array_distinct($e1.network.http.target_url)
condition:
$e1
}Chronicle YARA-L rule detecting successful HTTP POST uploads of executable file types to Paymenter public upload directories, indicating CVE-2025-58048 webshell upload attempts.
Data Sources
Required Tables
False Positives & Tuning
- Authorized Paymenter administrators uploading PHP configuration or extension files
- Automated deployment workflows publishing PHP code via HTTP upload endpoints
- Security assessment teams conducting authorized penetration tests
- Internal monitoring agents that perform health-check uploads to verify endpoint availability
Other platforms for CVE-2025-58048
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Upload PHP Webshell to Paymenter Public Storage
Expected signal: Web server logs showing POST to /upload with multipart/form-data containing .php file; file creation event in storage/app/public directory; HTTP 200/201 response code
- Test 2Execute Commands via Uploaded Webshell
Expected signal: GET requests to storage/app/public/*.php path; PHP process spawning id, uname, whoami child processes; outbound network connection from PHP/web server process to attacker IP
- Test 3Bypass MIME Type Restriction via Content-Type Spoofing
Expected signal: Web server logs showing POST uploads with mismatched Content-Type and file extension; file creation events with double extensions or PHP extensions in upload directories; magic byte mismatch in uploaded files
References (5)
- https://github.com/Paymenter/Paymenter/security/advisories/GHSA-5pm9-r2m8-rcmj
- https://nvd.nist.gov/vuln/detail/CVE-2025-58048
- https://github.com/Paymenter/Paymenter/commit/87c3db42282ada1e3cda54b9a01f846926c0669b
- https://github.com/Paymenter/Paymenter/releases/tag/v1.2.11
- https://github.com/advisories/GHSA-5pm9-r2m8-rcmj
Unlock Pro Content
Get the full detection package for CVE-2025-58048 including response playbook, investigation guide, and atomic red team tests.