CVE-2017-7625 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2017-7625?

CVE-2017-7625 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated attackers to upload malicious PHP files (webshells) to Fiyo CMS servers and execute arbitrary code. It affects all Fiyo CMS 2.x installations up to version 2.0.7. Attackers can achieve full system compromise through remote code execution.

📋 TL;DR

This vulnerability allows unauthenticated attackers to upload malicious PHP files (webshells) to Fiyo CMS servers and execute arbitrary code. It affects all Fiyo CMS 2.x installations up to version 2.0.7. Attackers can achieve full system compromise through remote code execution.

💻 Affected Systems

Products:

Fiyo CMS

Versions: 2.0.0 through 2.0.7

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations within the vulnerable version range. No special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server takeover with attacker gaining root/system-level access, data exfiltration, ransomware deployment, and use as pivot point for lateral movement.

🟠

Likely Case

Webshell installation leading to website defacement, data theft, cryptocurrency mining, or botnet recruitment.

🟢

If Mitigated

Attack blocked at WAF/web application firewall level with file upload restrictions and input validation.

🌐 Internet-Facing: HIGH - Directly exploitable via HTTP requests without authentication, making exposed instances immediate targets.

🏢 Internal Only: MEDIUM - Still exploitable by internal attackers or compromised internal systems, but requires network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public exploit scripts available. Attack requires only HTTP POST request to vulnerable endpoint with malicious content.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.8 or later

Vendor Advisory: https://github.com/FiyoCMS/FiyoCMS

Restart Required: No

Instructions:

1. Backup current installation and database. 2. Download latest version from official repository. 3. Replace all files except config.php and uploads directory. 4. Verify functionality.

🔧 Temporary Workarounds

Block vulnerable endpoint

all

Restrict access to the vulnerable PHP file via web server configuration

# Apache: add to .htaccess
<Files "save_file.php">
    Order Deny,Allow
    Deny from all
</Files>
# Nginx: add to server block
location ~* /dapur/apps/app_theme/libs/save_file\.php$ {
    deny all;
    return 403;
}

Disable file uploads

linux

Remove write permissions from upload directories

chmod -R 755 /path/to/fiyo/dapur/apps/app_theme/libs/
chown -R root:www-data /path/to/fiyo/dapur/apps/app_theme/libs/

🧯 If You Can't Patch

Implement strict WAF rules to block requests containing webshell patterns and file uploads to the vulnerable endpoint.
Isolate the Fiyo CMS instance in a DMZ with strict outbound firewall rules and monitor for suspicious file creation.

🔍 How to Verify

Check if Vulnerable:

Check if file exists at /dapur/apps/app_theme/libs/save_file.php and test with harmless payload using curl: curl -X POST -d 'content=<?php echo "test"; ?>' http://target/dapur/apps/apps/app_theme/libs/save_file.php

Check Version:

grep -r "version" /path/to/fiyo/ | grep -i "2.0"

Verify Fix Applied:

Attempt the same exploit after patching - should receive 403/404 error or proper validation failure. Check version number in admin panel.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /dapur/apps/app_theme/libs/save_file.php
File creation in theme directories with .php extension
Unusual PHP file execution patterns

Network Indicators:

POST requests with PHP code in content parameter
Subsequent connections to uploaded PHP files from unusual IPs

SIEM Query:

source="web_logs" AND (url="/dapur/apps/app_theme/libs/save_file.php" OR url CONTAINS ".php" AND referer CONTAINS "save_file.php")

📊 Metadata

CVE ID: CVE-2017-7625

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: April 10, 2017

Last Updated: April 20, 2025

🔗 References

http://www.securityfocus.com/bid/97571 Third Party Advisory,VDB Entry
https://github.com/Xyntax/POC-T/blob/2.0/script/fiyo2.0.7-getshell.py Exploit,Third Party Advisory
http://www.securityfocus.com/bid/97571 Third Party Advisory,VDB Entry
https://github.com/Xyntax/POC-T/blob/2.0/script/fiyo2.0.7-getshell.py Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-7625, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Fiyo Cms by Fiyo

Fiyo Cms by Fiyo

Fiyo Cms by Fiyo

Fiyo Cms by Fiyo

Fiyo Cms by Fiyo

Fiyo Cms by Fiyo

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Block vulnerable endpoint

Disable file uploads

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities