CVE-2025-25789 – FoxCMS v1.2.5 contains a critical remote code e... (How to Fix)

Q: What is the severity of CVE-2025-25789?

CVE-2025-25789 has a CVSS score of 9.8 (CRITICAL). FoxCMS v1.2.5 contains a critical remote code execution vulnerability in the index() method of the Sitemap controller. This allows unauthenticated attackers to execute arbitrary code on affected systems. All deployments running FoxCMS v1.2.5 are vulnerable.

📋 TL;DR

FoxCMS v1.2.5 contains a critical remote code execution vulnerability in the index() method of the Sitemap controller. This allows unauthenticated attackers to execute arbitrary code on affected systems. All deployments running FoxCMS v1.2.5 are vulnerable.

💻 Affected Systems

Products:

FoxCMS

Versions: v1.2.5

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of FoxCMS v1.2.5 are vulnerable regardless of configuration.

📦 What is this software?

Foxcms by Foxcms

View all CVEs affecting Foxcms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to install malware, steal data, pivot to internal networks, and establish persistent backdoors.

🟠

Likely Case

Web server compromise leading to data theft, defacement, or cryptocurrency mining operations.

🟢

If Mitigated

Limited impact due to network segmentation, minimal privileges, and active monitoring detecting exploitation attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code is available, making this easily weaponizable by attackers with minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: http://foxcms.com

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or implement workarounds.

🔧 Temporary Workarounds

Disable Sitemap Controller

all

Remove or rename the vulnerable Sitemap.php controller file to prevent exploitation.

mv /path/to/FoxCMS/controller/Sitemap.php /path/to/FoxCMS/controller/Sitemap.php.disabled

Web Application Firewall Rule

all

Block requests to the vulnerable endpoint using WAF rules.

WAF rule: Block requests containing 'Sitemap' in URL path or parameters

🧯 If You Can't Patch

Isolate affected systems in a segmented network zone with strict egress filtering
Implement strict file integrity monitoring on the FoxCMS installation directory

🔍 How to Verify

Check if Vulnerable:

Check if FoxCMS version is 1.2.5 by examining version files or admin panel

Check Version:

grep -r '1.2.5' /path/to/FoxCMS/ or check admin dashboard

Verify Fix Applied:

Verify Sitemap.php controller is disabled or removed, and test RCE attempts fail

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to Sitemap controller
System command execution in web logs
Unexpected process spawns from web server

Network Indicators:

Outbound connections from web server to suspicious IPs
Unusual traffic patterns to/from FoxCMS server

SIEM Query:

source="web_logs" AND (url="*Sitemap*" OR cmd="*" OR process="*sh*")

📊 Metadata

CVE ID: CVE-2025-25789

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

EPSS Score: 1.92% exploit probability (83th percentile)

Published: February 26, 2025

Last Updated: April 9, 2025

🔗 References

http://foxcms.com Not Applicable
https://github.com/Ka7arotto/FoxCMS/blob/main/FoxCMS-rce3.md Exploit
https://www.foxcms.cn/ Product
https://github.com/Ka7arotto/FoxCMS/blob/main/FoxCMS-rce3.md Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-25789, you might also want to check these: