Login Sign Up

CVE-2025-25765

4.0 MEDIUM

📋 TL;DR

MRCMS v3.1.2 contains an arbitrary file write vulnerability in the /file/save.do component that allows attackers to write arbitrary files to the server. This affects all systems running MRCMS v3.1.2. The vulnerability could lead to web shell deployment, configuration modification, or denial of service.

💻 Affected Systems

Products:
  • MRCMS
Versions: v3.1.2
Operating Systems: All operating systems running MRCMS
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations of MRCMS v3.1.2 are vulnerable. The vulnerability exists in the file upload/save functionality.

📦 What is this software?

Mrcms by Mrcms

View all CVEs affecting Mrcms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via web shell deployment leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Web shell deployment allowing persistent access, data exfiltration, or defacement of the website.

🟢

If Mitigated

Limited impact if file system permissions restrict write access to non-critical directories and web root.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is accessible via web interface, making internet-facing instances prime targets.
🏢 Internal Only: MEDIUM - Internal instances are still vulnerable but have reduced attack surface compared to internet-facing deployments.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

The vulnerability requires authentication to the /file/save.do endpoint. Exploitation involves sending crafted requests to write arbitrary files.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: No

Instructions:

1. Monitor MRCMS vendor channels for security updates. 2. Check if newer versions beyond v3.1.2 address this vulnerability. 3. Apply any available patches immediately when released.

🔧 Temporary Workarounds

Restrict access to /file/save.do endpoint

all

Block or restrict access to the vulnerable endpoint using web server configuration or WAF rules.

# Apache: RewriteRule ^/file/save\.do$ - [F]
# Nginx: location ~ ^/file/save\.do$ { deny all; }

Implement strict file upload validation

all

Add server-side validation to restrict file types, names, and paths that can be written.

🧯 If You Can't Patch

  • Implement network segmentation to isolate MRCMS instances from critical systems
  • Deploy web application firewall (WAF) with rules to detect and block arbitrary file write attempts

🔍 How to Verify

Check if Vulnerable:

Check if MRCMS version is 3.1.2 and if /file/save.do endpoint is accessible with write permissions.

Check Version:

Check MRCMS configuration files or admin panel for version information

Verify Fix Applied:

Test if arbitrary file writes are still possible after applying mitigations by attempting controlled file write tests.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file write operations in web server logs
  • Multiple POST requests to /file/save.do with suspicious file names or paths
  • Web shell file creation in unexpected directories

Network Indicators:

  • HTTP POST requests to /file/save.do with file write parameters
  • Traffic patterns indicating file upload attempts to non-standard locations

SIEM Query:

web.url:*file/save.do AND (http.method:POST OR web.status:200) AND (file.extension:php OR file.extension:jsp OR file.extension:asp)

📊 Metadata

CVE ID: CVE-2025-25765
CVSS v3 Score: 4.0 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score: 0.03% exploit probability (7.6th percentile)
Published: February 21, 2025
Last Updated: March 28, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON