CVE-2022-25411
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary PHP code on Maxsite CMS v180 installations by uploading a crafted PHP file to the /admin/options endpoint. Any Maxsite CMS v180 installation with the admin interface accessible is affected, potentially leading to complete system compromise.
💻 Affected Systems
- Maxsite CMS
📦 What is this software?
Maxsite Cms by Max 3000
⚠️ Risk & Real-World Impact
Worst Case
Complete server takeover with attacker gaining full control, data exfiltration, lateral movement, and persistent backdoor installation.
Likely Case
Website defacement, data theft, cryptocurrency mining, or ransomware deployment on vulnerable servers.
If Mitigated
Limited impact with proper network segmentation, web application firewalls, and restricted admin access.
🎯 Exploit Status
The vulnerability is straightforward to exploit with publicly available proof-of-concept code. Attackers can upload PHP files without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v181 or later
Vendor Advisory: https://github.com/maxsite/cms/issues/487
Restart Required: No
Instructions:
1. Backup your current installation and database. 2. Download the latest Maxsite CMS version from the official repository. 3. Replace all files except configuration files and uploads directory. 4. Verify the installation works correctly.
🔧 Temporary Workarounds
Block Admin Interface Access
allRestrict access to /admin/ directory using web server configuration or firewall rules.
# Apache: <Location /admin> Require all denied </Location>
# Nginx: location /admin { deny all; }
Disable File Uploads
allRemove or restrict file upload functionality in the admin interface.
# Remove or comment out file upload handlers in CMS configuration
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the admin interface
- Deploy a web application firewall (WAF) with rules to block PHP file uploads to admin endpoints
🔍 How to Verify
Check if Vulnerable:
Check if your Maxsite CMS version is v180 by examining the CMS version file or admin interface.Check Version:
Check the CMS version in the admin dashboard or examine the version.txt file in the installation directory.Verify Fix Applied:
After updating, verify the version shows v181 or later and test that PHP file uploads to /admin/options are properly validated.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to /admin/options endpoint
- PHP file execution from unexpected locations
- Multiple failed upload attempts followed by successful PHP upload
Network Indicators:
- HTTP POST requests to /admin/options with PHP file content
- Outbound connections from web server to suspicious IPs after file upload
SIEM Query:
source="web_server.log" AND (uri="/admin/options" AND method="POST" AND (file_extension="php" OR content_type="application/x-php"))