Description
An unauthenticated arbitrary file upload vulnerability exists in Idera Up.Time Monitoring Station versions up to and including 7.2. The `wizards/post2file.php` script accepts arbitrary POST parameters, allowing attackers to upload crafted PHP files to the webroot. Successful exploitation results in remote code execution as the web server user. NOTE: The bypass for this vulnerability is tracked as CVE-2015-9263.
Published: 2025-07-16
Score: 9.3 Critical
EPSS: 67.8% High
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an unauthenticated arbitrary file upload in the wizards/post2file.php script. Attackers can post any data and place a crafted PHP file into the webroot, which results in remote code execution as the web server user. The flaw is a combination of missing authentication (CWE‑306) and unrestricted file upload (CWE‑434).

Affected Systems

Idera Up.Time Monitoring Station software up to and including version 7.2 is affected. No other vendors or product versions are noted.

Risk and Exploitability

The CVSS v3 score is 9.3 and the EPSS is 68%, indicating a high probability of exploitation. It is not listed in the CISA KEV catalog. Attackers can exploit the flaw without authentication by sending a crafted HTTP POST to wizards/post2file.php, enabling arbitrary code execution with the privileges of the web server.

Generated by OpenCVE AI on April 22, 2026 at 22:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Idera Up.Time Monitoring Station to a version newer than 7.2 or apply the vendor’s official patch that removes the arbitrary upload endpoint.
  • If an upgrade is not immediately feasible, restrict direct access to the wizards/post2file.php endpoint so that only authorized users can reach it and enforce a strict authentication mechanism.
  • Reconfigure the web server so that the upload directory is non‑executable and implement file‑type validation to reject any non‑image or untrusted formats.
  • Monitor the webroot for unexpected PHP files and review logs for abnormal upload activity.

Generated by OpenCVE AI on April 22, 2026 at 22:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21749 An unauthenticated arbitrary file upload vulnerability exists in Idera Up.Time Monitoring Station versions up to and including 7.2. The `wizards/post2file.php` script accepts arbitrary POST parameters, allowing attackers to upload crafted PHP files to the webroot. Successful exploitation results in remote code execution as the web server user. NOTE: The bypass for this vulnerability is tracked as CVE-2015-9263.
History

Thu, 17 Jul 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 16 Jul 2025 21:15:00 +0000

Type Values Removed Values Added
Description An unauthenticated arbitrary file upload vulnerability exists in Idera Up.Time Monitoring Station versions up to and including 7.2. The `wizards/post2file.php` script accepts arbitrary POST parameters, allowing attackers to upload crafted PHP files to the webroot. Successful exploitation results in remote code execution as the web server user. NOTE: The bypass for this vulnerability is tracked as CVE-2015-9263.
Title Idera Up.Time ≤ 7.2 post2file.php Arbitrary File Upload RCE
Weaknesses CWE-306
CWE-434
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-07T14:09:42.906Z

Reserved: 2025-04-15T19:15:22.561Z

Link: CVE-2025-34121

cve-icon Vulnrichment

Updated: 2025-07-17T19:46:49.605Z

cve-icon NVD

Status : Deferred

Published: 2025-07-16T21:15:27.100

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-34121

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T22:30:28Z

Weaknesses