Login Sign Up

CVE-2025-15154

5.3 MEDIUM
Authentication Bypass

📋 TL;DR

This vulnerability in PbootCMS allows attackers to spoof IP addresses by manipulating the X-Forwarded-For header. The system incorrectly trusts this header value for user IP identification, enabling IP-based security bypasses. All PbootCMS installations up to version 3.2.12 are affected.

💻 Affected Systems

Products:
  • PbootCMS
Versions: up to 3.2.12
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations are vulnerable as the vulnerable function is part of core functionality.

📦 What is this software?

Pbootcms by Pbootcms

View all CVEs affecting Pbootcms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could bypass IP-based access controls, rate limiting, or authentication mechanisms, potentially gaining unauthorized access to admin panels or sensitive functionality.

🟠

Likely Case

IP spoofing to bypass basic security controls like login attempt limits or geographic restrictions.

🟢

If Mitigated

Limited impact if proper validation of client IPs is implemented through multiple verification methods.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit requires only HTTP header manipulation, making it trivial to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to any version above 3.2.12 if released, or apply manual fixes to the get_user_ip function.

🔧 Temporary Workarounds

Modify get_user_ip function

all

Edit core/function/handle.php to properly validate X-Forwarded-For headers or remove trust in this header

Edit core/function/handle.php and modify the get_user_ip function to validate IP addresses from trusted proxies only

Web server header filtering

linux

Configure web server to strip or validate X-Forwarded-For headers

For Apache: mod_headers configuration
For Nginx: proxy_set_header X-Forwarded-For $remote_addr;

🧯 If You Can't Patch

  • Implement WAF rules to detect and block suspicious X-Forwarded-For header patterns
  • Deploy reverse proxy that validates and sanitizes all incoming headers before reaching PbootCMS

🔍 How to Verify

Check if Vulnerable:

Check if PbootCMS version is ≤3.2.12 and examine core/function/handle.php for the get_user_ip function that trusts X-Forwarded-For header without validation

Check Version:

Check PbootCMS version in admin panel or examine version files in installation directory

Verify Fix Applied:

Test with crafted X-Forwarded-For headers to ensure they no longer affect the reported user IP

📡 Detection & Monitoring

Log Indicators:

  • Multiple requests with different X-Forwarded-For values from same source IP
  • Suspicious IP patterns in access logs

Network Indicators:

  • HTTP requests containing manipulated X-Forwarded-For headers

SIEM Query:

http.headers:X-Forwarded-For AND (http.user_agent:*PbootCMS* OR http.url_path:*pbootcms*)

📊 Metadata

CVE ID: CVE-2025-15154
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-348
EPSS Score: 0.06% exploit probability (17.4th percentile)
Published: December 28, 2025
Last Updated: December 30, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15154, you might also want to check these:

CVE-2022-31813 9.8

This vulnerability in Apache HTTP Server allows attackers to bypass IP-based authentication by manip...

Same vulnerability type (CWE-348)
CVE-2024-27773 8.8

CVE-2024-27773 is a critical vulnerability in Unitronics Unistream Unilogic software that allows rem...

Same vulnerability type (CWE-348)
CVE-2025-55292 8.2

This vulnerability allows attackers to impersonate legitimate nodes in Meshtastic mesh networks by f...

Same vulnerability type (CWE-348)