CVE-2025-25789

CriticalPublic PoC

Published: 26 February 2025

Published

26 February 2025

Modified

09 April 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0227 84.7th percentile

Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Description

FoxCMS v1.2.5 was discovered to contain a remote code execution (RCE) vulnerability via the index() method at \controller\Sitemap.php.

Security Summary

CVE-2025-25789 is a remote code execution (RCE) vulnerability (CWE-94) in FoxCMS version 1.2.5, published on 2025-02-26. The flaw exists in the index() method within the \controller\Sitemap.php component, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Unauthenticated attackers with network access can exploit this vulnerability remotely with low attack complexity and no user interaction required. Successful exploitation grants high-impact control over confidentiality, integrity, and availability, enabling arbitrary code execution on the affected system.

Advisories and further details are available via references including http://foxcms.com, https://www.foxcms.cn/, and https://github.com/Ka7arotto/FoxCMS/blob/main/FoxCMS-rce3.md.

Details

CWE(s): CWE-94

Affected Products

foxcms

1.2.5

References

http://foxcms.com
Not Applicable · cve@mitre.org
https://github.com/Ka7arotto/FoxCMS/blob/main/FoxCMS-rce3.md
Exploit · cve@mitre.org
https://www.foxcms.cn/
Product · cve@mitre.org
https://github.com/Ka7arotto/FoxCMS/blob/main/FoxCMS-rce3.md
Exploit · 134c704f-9b21-4f2e-91b3-4a467353bcc0