Login Sign Up

CVE-2025-14648

4.7 MEDIUM
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary commands on DedeBIZ systems through command injection in the catalog_add.php file. Attackers can exploit this to gain unauthorized access and control over affected servers. Organizations running DedeBIZ up to version 6.5.9 are at risk.

💻 Affected Systems

Products:
  • DedeBIZ
Versions: Up to and including 6.5.9
Operating Systems: Any OS running DedeBIZ (typically Linux)
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the admin interface functionality at /src/admin/catalog_add.php

📦 What is this software?

Dedebiz by Dedebiz

View all CVEs affecting Dedebiz →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to execute arbitrary commands, steal data, install malware, pivot to other systems, and maintain persistent access.

🟠

Likely Case

Unauthorized command execution leading to data theft, website defacement, or deployment of cryptocurrency miners or backdoors.

🟢

If Mitigated

Limited impact with proper network segmentation, web application firewalls, and least privilege configurations preventing lateral movement.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires admin access or authentication bypass to reach vulnerable endpoint

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Monitor DedeBIZ vendor for security updates. 2. Upgrade to version 6.5.10 or later when available. 3. Apply vendor-provided patches.

🔧 Temporary Workarounds

Restrict access to admin interface

all

Limit access to /src/admin/ directory to trusted IP addresses only

# Apache: <Location /src/admin>
    Order deny,allow
    Deny from all
    Allow from 192.168.1.0/24
</Location>
# Nginx: location /src/admin {
    allow 192.168.1.0/24;
    deny all;
}

Disable vulnerable endpoint

linux

Temporarily disable or rename the catalog_add.php file

mv /path/to/dedebiz/src/admin/catalog_add.php /path/to/dedebiz/src/admin/catalog_add.php.disabled

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for all user inputs in catalog_add.php
  • Deploy web application firewall (WAF) with command injection protection rules

🔍 How to Verify

Check if Vulnerable:

Check if DedeBIZ version is 6.5.9 or earlier and if /src/admin/catalog_add.php exists

Check Version:

grep -r 'DedeBIZ' /path/to/dedebiz/ | grep -i version

Verify Fix Applied:

Verify catalog_add.php has been patched with proper input validation or removed/disabled

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /src/admin/catalog_add.php
  • System commands executed from web process
  • Failed authentication attempts to admin interface

Network Indicators:

  • Suspicious outbound connections from web server
  • Unusual traffic patterns to admin endpoints

SIEM Query:

source="web_access.log" AND (uri="/src/admin/catalog_add.php" OR uri="/admin/catalog_add.php") AND (method="POST" OR status>=400)

📊 Metadata

CVE ID: CVE-2025-14648
CVSS v3 Score: 4.7 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
EPSS Score: 0.23% exploit probability (45.8th percentile)
Published: December 14, 2025
Last Updated: December 22, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14648, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)