Login Sign Up

CVE-2025-15394

4.7 MEDIUM
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on iCMS systems through code injection in the configuration parameter handler. Attackers can exploit this by manipulating POST parameters to inject malicious code that gets executed on the server. All iCMS installations up to version 8.0.0 are affected.

💻 Affected Systems

Products:
  • iCMS
Versions: up to 8.0.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations are vulnerable. The vulnerability exists in the admin configuration component accessible via POST requests.

📦 What is this software?

Icms by Idreamsoft

View all CVEs affecting Icms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands, steal data, install backdoors, or pivot to other systems.

🟠

Likely Case

Unauthorized code execution leading to website defacement, data theft, or installation of cryptocurrency miners.

🟢

If Mitigated

Limited impact if proper input validation and WAF rules are in place, potentially resulting in failed exploitation attempts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit details are publicly available. Attack requires access to the admin configuration interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available or implementing workarounds.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Add strict input validation to the Save function in ConfigAdmincp.php to sanitize config parameters

Edit app/config/ConfigAdmincp.php and implement parameter sanitization before processing

Access Restriction

all

Restrict access to the admin configuration interface using IP whitelisting or additional authentication

Configure web server (Apache/Nginx) to restrict access to admin paths

🧯 If You Can't Patch

  • Implement Web Application Firewall (WAF) rules to block suspicious POST requests to admin configuration endpoints
  • Monitor and audit all access to the admin configuration interface for unusual activity

🔍 How to Verify

Check if Vulnerable:

Check if iCMS version is 8.0.0 or earlier by examining version files or admin interface

Check Version:

Check iCMS version in admin panel or version.txt file

Verify Fix Applied:

Test if code injection attempts are properly blocked in the configuration save functionality

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to ConfigAdmincp.php with suspicious parameter values
  • Multiple failed authentication attempts to admin interface

Network Indicators:

  • POST requests containing code injection patterns to admin configuration endpoints

SIEM Query:

source="web_logs" AND uri="*ConfigAdmincp.php*" AND method="POST" AND (param="*config*" OR body="*eval(*" OR body="*system(*")

📊 Metadata

CVE ID: CVE-2025-15394
CVSS v3 Score: 4.7 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
EPSS Score: 0.05% exploit probability (16.4th percentile)
Published: December 31, 2025
Last Updated: January 13, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15394, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)