CVE-2025-10993 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2025-10993?

CVE-2025-10993 has a CVSS score of 4.7 (MEDIUM). This vulnerability allows remote attackers to execute arbitrary code through template management functionality in MuYuCMS. It affects all installations of MuYuCMS up to version 2.7. Attackers can exploit this flaw to gain unauthorized access and control over affected systems.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code through template management functionality in MuYuCMS. It affects all installations of MuYuCMS up to version 2.7. Attackers can exploit this flaw to gain unauthorized access and control over affected systems.

💻 Affected Systems

Products:

MuYuCMS

Versions: All versions up to and including 2.7

Operating Systems: Any OS running MuYuCMS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the Template Management component via /admin.php endpoint

📦 What is this software?

Muyucms by Muyucms

View all CVEs affecting Muyucms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise leading to data theft, ransomware deployment, or persistent backdoor installation

🟠

Likely Case

Unauthorized administrative access leading to website defacement, data manipulation, or credential theft

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, potentially only affecting the CMS instance

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable via admin.php, making internet-facing instances particularly vulnerable

🏢 Internal Only: MEDIUM - Internal instances are still vulnerable but require network access, reducing exposure surface

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires access to admin.php endpoint; likely requires some level of authentication or access to the admin interface

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 2.7 (check vendor for specific version)

Vendor Advisory: https://gitee.com/MuYuCMS/MuYuCMS/issues/ICXVCE

Restart Required: No

Instructions:

1. Check current MuYuCMS version. 2. Update to latest version from official repository. 3. Verify /admin.php endpoint is properly secured. 4. Review template management permissions.

🔧 Temporary Workarounds

Restrict admin.php access

all

Limit access to the vulnerable endpoint using network controls

# Use firewall rules to restrict access to /admin.php
# Example: iptables -A INPUT -p tcp --dport 80 -m string --string "/admin.php" --algo bm -j DROP

Disable template management

all

Temporarily disable template management functionality if not required

# Rename or remove template management files
# Example: mv /path/to/template_management.php /path/to/template_management.php.disabled

🧯 If You Can't Patch

Implement strict network segmentation to isolate MuYuCMS instances
Deploy web application firewall with code injection detection rules

🔍 How to Verify

Check if Vulnerable:

Check MuYuCMS version; if version ≤ 2.7, system is vulnerable. Review /admin.php access logs for suspicious template management activity.

Check Version:

Check MuYuCMS configuration files or admin panel for version information

Verify Fix Applied:

Verify MuYuCMS version is > 2.7. Test template management functionality for code injection attempts. Review patch notes from vendor.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /admin.php with template parameters
Multiple failed authentication attempts followed by template management requests
Unexpected file creation or modification in template directories

Network Indicators:

HTTP requests containing suspicious code patterns in template parameters
Unusual outbound connections from MuYuCMS server

SIEM Query:

source="web_logs" AND uri="/admin.php" AND (method="POST" OR parameters CONTAINS "template")

📊 Metadata

CVE ID: CVE-2025-10993

CVSS v3 Score: 4.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.06% exploit probability (19.7th percentile)

Published: September 26, 2025

Last Updated: October 3, 2025

🔗 References

https://gitee.com/MuYuCMS/MuYuCMS/issues/ICXVCE Issue Tracking
https://vuldb.com/?ctiid.325921 Permissions Required,VDB Entry
https://vuldb.com/?id.325921 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.654014 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10993, you might also want to check these: