CVE-2025-2043
Published: 06 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-2043 is a vulnerability in LinZhaoguan pb-cms version 1.0.0, classified as critical, that affects unknown processing in the /admin#themes file of the Add New Topic Handler component. The issue stems from manipulation of the Topic Key argument, resulting in deserialization, and is associated with CWE-20 (Improper Input Validation) and CWE-502 (Deserialization of Untrusted Data). It carries a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).
The vulnerability enables remote exploitation by attackers who possess high privileges (PR:H), such as authenticated administrators. Successful attacks can achieve low-level impacts on confidentiality, integrity, and availability through the deserialization flaw.
Advisories from VulDB detail the issue at https://vuldb.com/?ctiid.298787, https://vuldb.com/?id.298787, and https://vuldb.com/?submit.513243, while a GitHub repository at https://github.com/Jingyi-u/Pb-cms2/blob/main/README.md provides additional context. The exploit has been publicly disclosed and may be used.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The deserialization vulnerability (CWE-502) in the admin web handler of this CMS allows remote exploitation by authenticated high-privilege users via argument manipulation, mapping to exploitation of a public-facing application.