CVE-2025-22974
📋 TL;DR
This SQL injection vulnerability in SeaCMS allows remote attackers to execute arbitrary SQL commands through the DoTranExecSql parameter in phome.php. Attackers can potentially read, modify, or delete database content, and in some configurations execute arbitrary code. All SeaCMS installations up to version 13.2 are affected.
💻 Affected Systems
- SeaCMS
📦 What is this software?
Seacms by Seacms
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise including arbitrary code execution, database destruction, and potential lateral movement to other systems.
Likely Case
Database compromise leading to data theft, privilege escalation, and website defacement.
If Mitigated
Limited impact with proper input validation and database permissions, potentially only allowing data viewing.
🎯 Exploit Status
Simple SQL injection with public proof-of-concept available. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v13.3 or later
Vendor Advisory: https://github.com/202110420106/CVE/blob/master/seacms/CVE-2025-22974.md
Restart Required: No
Instructions:
1. Download latest SeaCMS version from official source. 2. Backup current installation and database. 3. Replace vulnerable files with patched versions. 4. Verify functionality.
🔧 Temporary Workarounds
Input Validation Filter
allAdd input validation to filter SQL injection attempts in phome.php
Modify phome.php to sanitize DoTranExecSql parameter using prepared statements or parameterized queries
Web Application Firewall
allDeploy WAF with SQL injection protection rules
Configure WAF to block requests containing SQL injection patterns in DoTranExecSql parameter
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries for all user inputs
- Restrict database user permissions to minimum required and enable logging of all database queries
🔍 How to Verify
Check if Vulnerable:
Check if SeaCMS version is 13.2 or earlier. Test by sending SQL injection payload to DoTranExecSql parameter in phome.php.Check Version:
Check SeaCMS version in admin panel or view source code version informationVerify Fix Applied:
Verify version is 13.3 or later. Test that SQL injection attempts no longer succeed.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts
- Requests to phome.php with SQL keywords in parameters
Network Indicators:
- HTTP requests containing SQL injection patterns in DoTranExecSql parameter
- Unusual outbound database connections
SIEM Query:
source="web_logs" AND uri="*phome.php*" AND (param="*DoTranExecSql*" AND (value="*SELECT*" OR value="*UNION*" OR value="*INSERT*" OR value="*DELETE*"))