CVE-2025-34121

Idera Up.Time ≤ 7.2 post2file.php Arbitrary File Upload RCE

CVSS 9.3 CRITICALEPSS 1.7%CWE-306 CWE-434

Vexday Risk Score

63High priority

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 9.3EPSS 1.7%KEV nãoPoC públicaNuclei —Metasploit simPatch —

Lifecycle

19 Nov 2013Metasploit module available

16 Jul 2025Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

An unauthenticated arbitrary file upload vulnerability exists in Idera Up.Time Monitoring Station versions up to and including 7.2. The `wizards/post2file.php` script accepts arbitrary POST parameters, allowing attackers to upload crafted PHP files to the webroot. Successful exploitation results in remote code execution as the web server user. NOTE: The bypass for this vulnerability is tracked as CVE-2015-9263.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

Idera · Up.Time Monitoring Station

public PoCs found — 3

cve_referenceraw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/uptime_file_upload_1.rbunverified cve_referenceweb.archive.org/web/20150210113937/http://www.security-assessment.com/files/documents/advisory/Up.Time%207.2%20-%20Arbitrary%20File%20Upload.pdfunverified cve_referencewww.exploit-db.com/exploits/38732unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/uptime_file_upload_1.rb https://web.archive.org/web/20150210113937/http://www.security-assessment.com/files/documents/advisory/Up.Time%207.2%20-%20Arbitrary%20File%20Upload.pdf https://www.exploit-db.com/exploits/38732 https://www.vulncheck.com/advisories/idera-uptime-arbitrary-file-upload-rce