CVE-2025-28090
Published: 28 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-28090 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting maccms10 version 2025.1000.4047 in its Collection Custom Interface feature. Published on 2025-03-28, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), reflecting network accessibility, low attack complexity, no required privileges or user interaction, unchanged impact scope, high confidentiality and integrity effects, and no availability impact.
Remote, unauthenticated attackers can exploit this SSRF vulnerability over the network with low complexity and no user interaction. Successful exploitation enables high-level compromise of confidentiality and integrity, such as unauthorized access to internal systems or data via forged server requests.
Advisories providing further details, including potential mitigations, are available at https://www.yuque.com/morysummer/vx41bz/xo5w1euakvtgenex.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SSRF vulnerability in public-facing web app (maccms10 Collection Custom Interface) directly enables remote unauthenticated exploitation for internal resource access, mapping to T1190 Exploit Public-Facing Application.