CVE-2022-25581 – Classcms v2.5 and below contains an arbitrary f... (How to Fix)

Q: What is the severity of CVE-2022-25581?

CVE-2022-25581 has a CVSS score of 7.8 (HIGH). Classcms v2.5 and below contains an arbitrary file upload vulnerability in the classupload component. Attackers can upload crafted .txt files to execute arbitrary code on the server. This affects all deployments using vulnerable versions of Classcms.

📋 TL;DR

Classcms v2.5 and below contains an arbitrary file upload vulnerability in the classupload component. Attackers can upload crafted .txt files to execute arbitrary code on the server. This affects all deployments using vulnerable versions of Classcms.

💻 Affected Systems

Products:

Classcms

Versions: v2.5 and below

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with file upload functionality enabled are vulnerable.

📦 What is this software?

Classcms by Classcms

View all CVEs affecting Classcms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands, steal data, install malware, or pivot to other systems.

🟠

Likely Case

Webshell deployment leading to data theft, defacement, or use as part of a botnet.

🟢

If Mitigated

Limited impact with proper file upload restrictions and web application firewalls in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to file upload functionality but is straightforward once obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

Upgrade to a version above v2.5 if available, or apply manual security patches to the classupload component.

🔧 Temporary Workarounds

Restrict file upload extensions

all

Configure web server or application to block .txt file uploads through the classupload component.

# Configure in web server (Apache example):
<Location "/class/classupload">
    SetEnvIf Request_URI ".*\.txt$" blocktxt
    Deny from env=blocktxt
</Location>

Implement file type validation

all

Add server-side validation to check actual file content, not just extensions.

# PHP example for file validation:
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime = finfo_file($finfo, $_FILES['file']['tmp_name']);
if (!in_array($mime, ['image/jpeg', 'image/png'])) {
    die('Invalid file type');
}

🧯 If You Can't Patch

Disable the classupload component entirely if not required.
Implement a Web Application Firewall (WAF) with rules to block malicious file uploads.

🔍 How to Verify

Check if Vulnerable:

Check if running Classcms v2.5 or below and if file upload functionality is accessible.

Check Version:

Check CMS configuration files or admin panel for version information.

Verify Fix Applied:

Test file upload with .txt extension to confirm it's blocked or properly validated.

📡 Detection & Monitoring

Log Indicators:

Unusual .txt file uploads to classupload endpoint
POST requests with file uploads to vulnerable paths
Subsequent execution of uploaded files

Network Indicators:

HTTP POST requests to /class/classupload with file uploads
Unusual outbound connections from web server

SIEM Query:

source="web_logs" AND uri="/class/classupload" AND method="POST" AND file_extension=".txt"

📊 Metadata

CVE ID: CVE-2022-25581

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: March 18, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/k0xx11/Vulscve/blob/master/classcms2.5-rce.md Exploit,Third Party Advisory
https://github.com/k0xx11/Vulscve/blob/master/classcms2.5-rce.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-25581, you might also want to check these: