do son 
Image: Tiny Technologies
Tiny Technologies has recently issued a security advisory regarding a critical vulnerability discovered in MoxieManager, a file and media management solution popular for its integration into PHP and .NET environments. This advisory highlights a remote code execution (RCE) flaw that could allow unauthenticated attackers to inject and execute arbitrary code.
MoxieManager is widely used across various platforms, including content management systems (CMS), web hosting controllers, and learning management systems (LMS), to streamline the process of uploading, organizing, and storing media files. However, this newly discovered vulnerability poses a significant risk to these environments.
The security advisory identifies the vulnerability as CVE-2025-30091, assigning it a high-severity CVSSv4 score of 9.4. The advisory explicitly warns of “A RCE vulnerability was discovered in MoxieManager PHP installer command. This vulnerability allows unauthenticated attackers to inject and execute arbitrary code.”
To address this critical issue, Tiny Technologies has released a patched version, MoxieManager PHP 4.0.0. The advisory details the specific measures taken in this update, including:
- “Sanitizing all request input data to the InstallCommand”
- “Escaping the values that get inserted into the config.php with addslashes”
- Implementing a “Check so that the installer process can’t be executed after installation”
Users of MoxieManager are strongly urged to update to version 4.0.0 or later immediately. For users unable to update immediately, a temporary workaround is available. The advisory suggests a manual step: “A workaround is to manually delete the install directory after installing the software.” This action would prevent unauthenticated attackers from exploiting the installer command.
Tiny Technologies has extended its gratitude to Pierre-Yves Guerder for discovering and reporting this vulnerability.
