phpBB Phar upload/deserialization bug enables authenticated remote code execution
TL;DR — phpBB attachment upload handling can be abused to deserialize a malicious Phar, letting an authenticated attacker reach server-side code execution on vulnerable installs.
What happened
phpBB is a widely deployed, open-source PHP forum application used to host public communities and internal discussion boards.
CVE-2019-25685 (published on 2026-04-05) describes an arbitrary file upload leading to remote code execution by combining plupload behavior with the phar:// stream wrapper. The CVE record states attackers can upload a crafted ZIP containing serialized PHP objects and get them deserialized via the imagick parameter in attachment settings, resulting in code execution.
A public exploit is referenced (ExploitDB-46512), which materially lowers the barrier to exploitation for environments that still run the affected branch. This is also a recurring PHP application risk pattern: “file upload + gadget deserialization via phar://” has repeatedly shown up as an RCE path across mature PHP stacks.
Who is impacted
- Deployments running
phpBBversions<= 3.2.3. - Threat model note: the CVE describes an authenticated attacker; practical exploitability depends on what privileges are required to reach attachment upload and the relevant attachment/
imagickconfiguration path.
| Item | Source value |
|---|---|
| Affected versions | <= 3.2.3 |
| Patched versions | Not stated in the CVE record |
| Public exploit | Yes (ExploitDB-46512 referenced) |
What to do now
- Follow vendor remediation guidance and apply the latest patched release available at the time of writing (the CVE record does not list a fixed version).
- Inventory where
phpBBis deployed (repos, container images, deployed artifacts) and identify any instances still on<= 3.2.3. - Treat this as an RCE-class risk in shared/community deployments:
- Review which authenticated roles can upload attachments and who can access admin control-plane settings that influence attachment processing.
- If compromise is suspected, hunt for unexpected file writes in web roots and attachment directories, and rotate credentials reachable by the phpBB runtime (DB credentials, SMTP creds, OAuth tokens).
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.