CVE-2025-25790

CriticalPublic PoC

Published: 26 February 2025

Published

26 February 2025

Modified

09 April 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0021 43.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

An arbitrary file upload vulnerability in the component \controller\LocalTemplate.php of FoxCMS v1.2.5 allows attackers to execute arbitrary code via uploading a crafted Zip file.

Security Summary

CVE-2025-25790 is an arbitrary file upload vulnerability in the \controller\LocalTemplate.php component of FoxCMS version 1.2.5. Published on 2025-02-26, it allows attackers to execute arbitrary code by uploading a crafted Zip file and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type). The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.

Any unauthenticated attacker with network access can exploit this vulnerability due to its low attack complexity and lack of required privileges or user interaction. Successful exploitation enables remote arbitrary code execution, resulting in high impacts to confidentiality, integrity, and availability on the targeted FoxCMS instance.

Advisories and further details, potentially including mitigation guidance, are referenced at http://foxcms.com, https://www.foxcms.cn/, and https://github.com/Ka7arotto/FoxCMS/blob/main/FoxCMS-upload-rce.md.

Details

CWE(s): CWE-434

Affected Products

foxcms

1.2.5

References

http://foxcms.com
Not Applicable · cve@mitre.org
https://github.com/Ka7arotto/FoxCMS/blob/main/FoxCMS-upload-rce.md
Exploit · cve@mitre.org
https://www.foxcms.cn/
Product · cve@mitre.org
https://github.com/Ka7arotto/FoxCMS/blob/main/FoxCMS-upload-rce.md
Exploit · 134c704f-9b21-4f2e-91b3-4a467353bcc0