Cyber Posture

CVE-2025-29306

CriticalPublic PoC

Published: 27 March 2025

Published
27 March 2025
Modified
09 June 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8436 99.3th percentile
Risk Priority 70 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts.

Security Summary

CVE-2025-29306 is a critical code injection vulnerability (CWE-94) in FoxCMS version 1.2.5, published on 2025-03-27. It allows a remote attacker to execute arbitrary code through the case display page in the index.html component, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

The vulnerability can be exploited by any unauthenticated remote attacker over the network with low attack complexity and no user interaction required. Successful exploitation enables arbitrary code execution, resulting in high impacts to confidentiality, integrity, and availability, potentially leading to complete system compromise.

For mitigation guidance and patches, refer to the advisory at https://github.com/somatrasss/CVE-2025-29306.

Details

CWE(s)
CWE-94

Affected Products

foxcms
foxcms
≤ 1.2

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1221 Template Injection Stealth
Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts.
attack.mitre.org →
Why these techniques?

CVE-2025-29306 is a remote code execution vulnerability in FoxCMS via parameter injection on the index.html page (POC uses SSTI syntax ${@print(phpinfo())}), enabling exploitation of a public-facing web application (T1190) and template injection for code execution (T1221).

References