CVE-2025-29411 - Authenticated Remote Code Execution (RCE) via arbitrary file upload in iBanking V2.0.0

Description: RCE via file upload

Version affected: iBanking V2.0.0

Version fixed: N/A

System: https://github.com/MartMbithi/iBanking

Researcher: Simon Njuguna

Proof of concept

Description: An arbitrary file upload vulnerability in the Client Profile Update section of Mart Developers iBanking v2.0.0 allows attackers to execute
arbitrary code via uploading a crafted PHP file

Steps to reproduce

Using the John Doe Client account we created above, login and click Account. This will take you tothe profile update section. 

In the profile picture section, click choose file

You notice that the file selection is not limited and allows uploading of ALL FILES. This means that an attacker can upload a malicious php script and gain code execution on the target system, effectively taking over the server.

We will create a simple php payload and upload it on the server.

Create a php file, payload.php with the following contents:

<?php system($_REQUEST['cmd']); ?>

In the profile picture section, upload the php file and click update. Since the field does not validate file types, the php file will be uploaded.

Navigate to http://iBanking_IP/admin/dist/img and view the uploaded file

Opening the file will open a blank page

We can now execute system commands by passing them to the cmd variable by appending ?cmd=command

To get a full reverse shell, start a netcat listener  on the attacker machine

Then on the ibanking browser (tested on Ubuntu) 

On the attacker machine, a connection will be received and the attacker now has control of the machine

Possible Vulnerability Mitigation

Server side File Type Validation: Restrict uploads to trusted file types (e.g., images, PDFs) by validating MIME types and extensions.

File Storage Outside Web Root: Store uploaded files outside the web root to prevent direct access and execution.