XunRuiCMS, Deserialization Vulnerability, CVE-2025-1186 (Critical)

How the CVE Works

The vulnerability in XunRuiCMS (up to v4.6.4) stems from insecure deserialization in /Control/Api/Api.php. Attackers can manipulate the `thumb` parameter to inject malicious serialized data, leading to arbitrary code execution. The flaw is remotely exploitable without authentication, leveraging PHP’s unserialize() function to trigger object injection. Publicly disclosed exploits target this weakness, enabling attackers to compromise systems via crafted HTTP requests.

DailyCVE Form

Platform: XunRuiCMS
Version: ≤ 4.6.4
Vulnerability: Deserialization RCE
Severity: Critical
Date: 07/02/2025

Prediction: Patch by 08/15/2025

What Undercode Say

curl -X POST "http://target.com/Control/Api/Api.php" -d "thumb=malicious_serialized_data"

// PoC snippet triggering deserialization
unserialize($_POST['thumb']);

How Exploit

Craft malicious serialized payload.
Send via `thumb` parameter to /Api.php.
Execute arbitrary code on the server.

Protection from this CVE

Update to patched version.
Disable unsafe deserialization.
Input validation/filtering.

Impact

Remote code execution.
Full system compromise.
Data exfiltration.

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin

Listen to this Post