Overview
A high-severity Remote Code Execution (RCE) vulnerability, identified as CVE-2025-64050, has been discovered in REDAXO CMS version 5.20.0. This vulnerability allows authenticated administrators to execute arbitrary operating system commands by injecting malicious PHP code into an active template. The injected code is then executed whenever a visitor accesses a frontend page using the compromised template.
Technical Details
The vulnerability resides within the template management component of REDAXO CMS. An authenticated administrator can modify a template, injecting PHP code within the template’s source. This code is then parsed and executed by the server when the template is rendered for frontend users. The exploitation requires administrative privileges, but successful exploitation grants the attacker full control over the underlying server.
The injection point is the template content itself. By crafting a malicious template containing PHP code (e.g., using ``), an attacker can execute arbitrary commands on the server. The payload will execute when a user requests a page using that infected template.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-64050 is 7.2 (HIGH).
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): High (H)
- User Interaction (UI): None (N)
- Scope (S): Changed (C)
- Confidentiality Impact (C): High (H)
- Integrity Impact (I): High (H)
- Availability Impact (A): High (H)
This score reflects the high impact of the vulnerability, as it allows for complete system compromise.
Possible Impact
Successful exploitation of CVE-2025-64050 can lead to severe consequences, including:
- Complete System Compromise: Attackers can gain full control of the server, allowing them to modify files, install malware, and access sensitive data.
- Data Breach: Sensitive data stored on the server, including user credentials and database information, can be compromised.
- Website Defacement: Attackers can modify the website’s content, causing reputational damage.
- Denial of Service (DoS): Attackers can disrupt website operations by crashing the server or flooding it with requests.
Mitigation and Patch Steps
To mitigate the risk posed by CVE-2025-64050, the following steps are recommended:
- Upgrade REDAXO CMS: Upgrade to a patched version of REDAXO CMS as soon as it becomes available. Check the official REDAXO website for updates.
- Restrict Administrator Access: Limit the number of users with administrative privileges to only those who absolutely require them.
- Regular Security Audits: Perform regular security audits of your REDAXO CMS installation to identify and address potential vulnerabilities.
- Web Application Firewall (WAF): Implement a Web Application Firewall (WAF) with rules to detect and block attempts to inject malicious code into templates.
- Input Validation: Even though this vulnerability requires administrative access, enforce strict input validation and sanitization for all user-supplied data, including template content.
