CVE-2025-1556
Published: 22 February 2025
Description
Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts.
Security Summary
CVE-2025-1556 is a problematic vulnerability discovered in westboy CicadasCMS version 1.0, affecting unknown processing of the /system file within the Template Management component. The core issue involves deserialization of untrusted data, mapped to CWE-20 (Improper Input Validation), CWE-502 (Deserialization of Untrusted Data), and NVD-CWE-Other. Published on 2025-02-22, it carries a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L), indicating medium severity.
A remote attacker with high privileges can exploit this vulnerability over the network with low complexity and no user interaction required. By manipulating inputs to the affected component, the attacker triggers deserialization, potentially achieving low-level impacts on confidentiality, integrity, and availability without scope changes.
Advisories detailing the issue are available via VulDB entries (ctiid.296507, id.296507, submit.499520) and a GitHub proof-of-concept at https://github.com/FightingLzn9/vul/blob/main/CicadasCMS(2).md. The exploit has been publicly disclosed and may be used by attackers. No specific patch or mitigation details are provided in the CVE description.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Deserialization vulnerability in Template Management (/system) enables exploitation of public-facing web application (T1190) and server-side template injection for remote code execution (T1221), as indicated by advisories describing SSTI leading to arbitrary command execution.