CVE-2025-10116
📋 TL;DR
This vulnerability allows remote attackers to upload arbitrary files to SiempreCMS installations via the /docs/admin/file_upload.php endpoint. This can lead to complete system compromise through web shell deployment. All SiempreCMS installations up to version 1.3.6 are affected.
💻 Affected Systems
- SiempreCMS
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via web shell leading to data theft, ransomware deployment, or complete server takeover.
Likely Case
Attackers upload PHP web shells to gain persistent remote access and execute arbitrary commands on the server.
If Mitigated
File uploads are blocked or properly validated, preventing malicious file execution.
🎯 Exploit Status
Public exploit code is available on GitHub demonstrating file upload abuse.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: No
Instructions:
No official patch available. Consider upgrading to a newer version if released or implementing workarounds.
🔧 Temporary Workarounds
Delete vulnerable file
linuxRemove the vulnerable file_upload.php file from the server
rm /path/to/siemprecms/docs/admin/file_upload.php
Restrict access via .htaccess
linuxBlock access to the vulnerable endpoint using Apache mod_rewrite
RewriteEngine On
RewriteRule ^docs/admin/file_upload\.php$ - [F,L]
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block file uploads to the vulnerable endpoint
- Disable the /docs/admin/ directory entirely if not needed
🔍 How to Verify
Check if Vulnerable:
Check if file exists: ls -la /path/to/siemprecms/docs/admin/file_upload.phpCheck Version:
Check SiempreCMS version in configuration files or admin panelVerify Fix Applied:
Verify file is removed or inaccessible: curl -I http://yoursite/docs/admin/file_upload.php📡 Detection & Monitoring
Log Indicators:
- POST requests to /docs/admin/file_upload.php
- Upload of files with .php, .phtml, or other executable extensions
- Unusual file creation in web directories
Network Indicators:
- HTTP POST requests to the vulnerable endpoint with file uploads
- Traffic patterns showing file uploads followed by execution attempts
SIEM Query:
source="web_logs" AND (uri="/docs/admin/file_upload.php" OR uri="/docs/admin/file_upload") AND method="POST"