CVE-2025-66802 is a critical remote code execution vulnerability found in Sourcecodester Covid-19 Contact Tracing System version 1.0. The vulnerability stems from improper handling of user-uploaded images, which the application processes without sufficient validation or sanitization. Attackers can embed PHP reverse shell code within the image files, which the server then executes, granting attackers remote shell access. This allows full control over the affected server, enabling data theft, system manipulation, or pivoting within the network. The vulnerability does not require prior authentication or user interaction beyond submitting a crafted image, making exploitation straightforward. No official patches or fixes have been released, and no known exploits have been observed in the wild yet. The lack of a CVSS score necessitates an expert severity assessment, which rates this vulnerability as critical due to the high impact on confidentiality, integrity, and availability, combined with ease of exploitation and broad potential impact. The vulnerability is particularly concerning for organizations managing sensitive health data, as contact tracing systems are integral to public health responses. The attack vector involves uploading malicious images that the system processes as PHP code, indicating a failure to segregate executable content from user uploads and a lack of secure coding practices around file handling. Immediate mitigation steps include disabling PHP execution in upload directories, implementing strict file type validation, and sanitizing all user inputs related to file uploads.

European organizations using the vulnerable Covid-19 Contact Tracing System face severe risks including unauthorized access to sensitive personal and health data, disruption of contact tracing operations, and potential lateral movement within their networks. The compromise of such systems could undermine public trust in health initiatives and lead to regulatory penalties under GDPR due to data breaches. The ability for attackers to execute arbitrary code remotely without authentication means that even external threat actors can exploit this vulnerability, increasing the attack surface. Disruption or manipulation of contact tracing data could also have public health consequences, affecting pandemic response efforts. Additionally, compromised servers could be used as footholds for further attacks against other critical infrastructure. The absence of patches increases the urgency for organizations to implement compensating controls. The impact extends beyond confidentiality to integrity and availability, as attackers can alter or delete data and disrupt system operations.

1. Immediately identify and inventory all deployments of Sourcecodester Covid-19 Contact Tracing System 1.0 within the organization. 2. Disable PHP execution in directories used for user-uploaded content by configuring the web server (e.g., using .htaccess or server config to deny execution). 3. Implement strict server-side validation to allow only legitimate image file types (e.g., JPEG, PNG) and reject files containing embedded executable code. 4. Use file scanning tools to detect and block files containing PHP or other scripting code. 5. Employ application-level input sanitization and validation to prevent malicious payloads in uploads. 6. Monitor logs for suspicious upload activity or unexpected reverse shell connections. 7. Consider isolating the contact tracing system in a segmented network zone with limited access to critical infrastructure. 8. Engage with the software vendor or community to obtain or develop patches or updated versions addressing this vulnerability. 9. Educate administrators and users about the risks of uploading untrusted files and enforce strict access controls. 10. Prepare incident response plans to quickly contain and remediate any exploitation attempts.