CVE-2025-15375
📋 TL;DR
CVE-2025-15375 is a remote code execution vulnerability in EyouCMS versions up to 1.7.7, caused by insecure deserialization in the arcpagelist handler. Attackers can exploit this flaw by sending specially crafted requests to execute arbitrary code on affected systems. All EyouCMS installations up to version 1.7.7 are vulnerable if the vulnerable component is accessible.
💻 Affected Systems
- EyouCMS
📦 What is this software?
Eyoucms by Eyoucms
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary code, steal data, install malware, or pivot to other systems.
Likely Case
Remote code execution leading to web shell installation, data exfiltration, or service disruption.
If Mitigated
Limited impact if proper network segmentation and input validation controls are in place.
🎯 Exploit Status
Proof-of-concept exploit code is publicly available, making exploitation straightforward for attackers with basic skills.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.7.8
Vendor Advisory: Not provided in references
Restart Required: No
Instructions:
1. Backup your current installation. 2. Download EyouCMS version 1.7.8 from the official source. 3. Replace all files with the new version. 4. Verify the patch is applied by checking the version.
🔧 Temporary Workarounds
Disable vulnerable API endpoint
allTemporarily disable or restrict access to the vulnerable Ajax.php API endpoint
# Add to .htaccess for Apache: RewriteRule ^application/api/controller/Ajax.php - [F]
# For Nginx: location ~ ^/application/api/controller/Ajax.php { deny all; }
Input validation filter
allAdd input validation to filter serialized data in the attstr parameter
# In application/api/controller/Ajax.php, add validation before unserialize()
# Example: if (!is_string($attstr) || strpos($attstr, 'O:') !== false) { die('Invalid input'); }
🧯 If You Can't Patch
- Implement strict network access controls to limit access to the vulnerable endpoint
- Deploy a web application firewall (WAF) with rules to block deserialization attacks
🔍 How to Verify
Check if Vulnerable:
Check if EyouCMS version is 1.7.7 or earlier and if the file application/api/controller/Ajax.php exists with unserialize() calls.Check Version:
Check the version in the admin panel or look for version information in configuration files.Verify Fix Applied:
Verify the version is 1.7.8 or later and check that the unserialize() function in Ajax.php has been secured or removed.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /application/api/controller/Ajax.php
- Serialized data patterns in request parameters
- PHP error logs showing unserialize warnings
Network Indicators:
- HTTP requests containing serialized PHP objects in parameters
- Traffic to the vulnerable endpoint from unexpected sources
SIEM Query:
source="web_logs" AND (uri="/application/api/controller/Ajax.php" OR parameters CONTAINS "attstr")🔗 References
- https://note-hxlab.wetolink.com/share/2wLgcbKe9Toh
- https://note-hxlab.wetolink.com/share/2wLgcbKe9Toh#-span--strong-proof-of-concept---strong---span-
- https://vuldb.com/?ctiid.339083
- https://vuldb.com/?id.339083
- https://vuldb.com/?submit.718481
- https://note-hxlab.wetolink.com/share/2wLgcbKe9Toh
- https://note-hxlab.wetolink.com/share/2wLgcbKe9Toh#-span--strong-proof-of-concept---strong---span-
