CVE-2025-34111 is a critical security vulnerability identified in Tiki Wiki CMS Groupware versions 15.1 and earlier. The flaw exists in the ELFinder file manager component, specifically in its default connector script (connector.minimal.php), which is exposed via the /vendor_extra/elfinder/ path. This connector fails to enforce any file type validation, allowing unauthenticated remote attackers to upload arbitrary files, including executable PHP scripts. By crafting a malicious POST request to the ELFinder interface, attackers can upload and execute PHP payloads on the web server hosting the vulnerable Tiki Wiki CMS instance. This leads to remote code execution (RCE) with the privileges of the web server user, potentially allowing full system compromise, data theft, or service disruption. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), CWE-306 (Missing Authentication for Critical Function), and CWE-20 (Improper Input Validation). The CVSS 4.0 base score is 9.3, reflecting the vulnerability's critical nature due to its network attack vector, lack of required authentication or user interaction, and high impact on confidentiality, integrity, and availability. No patches or official fixes were listed at the time of publication, and no known exploits have been reported in the wild yet, but the vulnerability is straightforward to exploit. The exposure of the ELFinder connector by default and its lack of file validation represent a significant security risk for any deployment of Tiki Wiki CMS Groupware that has not been updated or mitigated.

For European organizations, this vulnerability poses a severe risk, particularly for those using Tiki Wiki CMS Groupware for internal collaboration, documentation, or public-facing websites. Successful exploitation allows attackers to execute arbitrary code on the web server, potentially leading to full system compromise, data breaches, defacement, or use of the server as a pivot point for further attacks within the network. Confidential information stored or processed by the CMS can be stolen or altered, impacting data integrity and privacy compliance obligations such as GDPR. Availability may also be affected if attackers deploy ransomware or disrupt services. Public sector entities, educational institutions, and enterprises relying on Tiki Wiki CMS for knowledge management are especially vulnerable. The lack of authentication requirement and ease of exploitation increase the likelihood of automated scanning and attacks. The absence of known exploits in the wild currently offers a window for proactive defense, but the critical severity demands immediate attention to prevent potential widespread exploitation across Europe.

1. Immediately disable or restrict access to the ELFinder connector (connector.minimal.php) if it is not essential for operations, especially on public-facing servers. 2. Apply strict file upload validation controls, including whitelisting allowed file types and blocking executable extensions such as .php, .phtml, .php5, etc. 3. Upgrade Tiki Wiki CMS Groupware to the latest version once an official patch addressing this vulnerability is released by the vendor. 4. Implement web application firewall (WAF) rules to detect and block suspicious POST requests targeting the /vendor_extra/elfinder/ path or containing malicious payloads. 5. Conduct thorough audits of web server directories to identify and remove any unauthorized uploaded files. 6. Monitor logs for unusual activity related to file uploads or execution attempts. 7. Restrict web server permissions to limit the impact of any successful code execution, such as running the web server under a least-privilege user. 8. Educate administrators about the risks of exposing file manager components without proper security controls. 9. Consider network segmentation to isolate CMS servers from critical infrastructure. These measures collectively reduce the attack surface and limit the potential damage from exploitation.