CVE-2025-22204 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2025-22204?

CVE-2025-22204 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary code on Joomla websites using the Sourcerer extension. Attackers can exploit improper code generation controls to run malicious commands on the server. All Joomla sites with Sourcerer extension versions before 11.0.0 are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Joomla websites using the Sourcerer extension. Attackers can exploit improper code generation controls to run malicious commands on the server. All Joomla sites with Sourcerer extension versions before 11.0.0 are affected.

💻 Affected Systems

Products:

Joomla Sourcerer Extension

Versions: All versions before 11.0.0

Operating Systems: Any OS running Joomla

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Sourcerer extension to be installed and enabled on Joomla CMS.

📦 What is this software?

Sourcerer by Regularlabs

View all CVEs affecting Sourcerer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise allowing attackers to install malware, steal data, deface websites, or use the server for further attacks.

🟠

Likely Case

Website defacement, data theft, or installation of backdoors for persistent access.

🟢

If Mitigated

Limited impact if proper network segmentation and web application firewalls are in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

CWE-94 vulnerabilities typically allow straightforward exploitation once details are known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.0.0

Vendor Advisory: https://regularlabs.com/sourcerer

Restart Required: No

Instructions:

1. Log into Joomla admin panel. 2. Navigate to Extensions > Manage > Update. 3. Update Sourcerer extension to version 11.0.0 or later. 4. Alternatively, download from vendor site and install manually.

🔧 Temporary Workarounds

Disable Sourcerer Extension

all

Temporarily disable the vulnerable extension until patching is possible.

Navigate to Extensions > Plugins > Search for 'Sourcerer' > Set Status to Disabled

Remove Sourcerer Extension

all

Completely uninstall the extension if not required.

Navigate to Extensions > Manage > Manage > Select Sourcerer > Uninstall

🧯 If You Can't Patch

Implement strict web application firewall rules to block suspicious PHP code execution attempts.
Restrict access to Joomla admin interface using IP whitelisting and strong authentication.

🔍 How to Verify

Check if Vulnerable:

Check Sourcerer extension version in Joomla admin panel under Extensions > Manage > Manage.

Check Version:

No CLI command; check via Joomla admin interface Extensions > Manage > Manage.

Verify Fix Applied:

Confirm Sourcerer extension version is 11.0.0 or higher in the extensions manager.

📡 Detection & Monitoring

Log Indicators:

Unusual PHP execution patterns in web server logs
Suspicious POST requests containing code snippets
Unexpected file creation in Joomla directories

Network Indicators:

HTTP requests with encoded PHP code in parameters
Unusual outbound connections from web server

SIEM Query:

web.url:*sourcerer* AND (web.method:POST OR web.status:200) AND web.uri:*php*

📊 Metadata

CVE ID: CVE-2025-22204

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

EPSS Score: 0.97% exploit probability (76.2th percentile)

Published: February 4, 2025

Last Updated: June 4, 2025

🔗 References

https://regularlabs.com/sourcerer Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-22204, you might also want to check these: