CVE-2025-25802 – SeaCMS v13.3 contains a remote code execution v... (How to Fix)

📋 TL;DR

SeaCMS v13.3 contains a remote code execution vulnerability in the admin_ip.php component that allows attackers to execute arbitrary code on affected systems. This affects all SeaCMS v13.3 installations with the vulnerable component accessible. Attackers can potentially take full control of the web server.

💻 Affected Systems

Products:

SeaCMS

Versions: v13.3

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires admin_ip.php component to be accessible, which is typically part of default installations.

📦 What is this software?

Seacms by Seacms

View all CVEs affecting Seacms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attacker to execute arbitrary commands, install malware, steal data, and pivot to other systems.

🟠

Likely Case

Web server compromise leading to website defacement, data theft, and installation of backdoors or cryptocurrency miners.

🟢

If Mitigated

Limited impact if proper network segmentation, WAF rules, and access controls prevent exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authentication to admin panel. Public proof-of-concept available on GitHub.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.seacms.com/

Restart Required: No

Instructions:

1. Check vendor website for security updates
2. Apply any available patches
3. Verify admin_ip.php is no longer vulnerable

🔧 Temporary Workarounds

Restrict admin panel access

all

Limit access to admin panel to trusted IP addresses only

# Configure web server (Apache example)
# In .htaccess or virtual host config:
<Files "admin_ip.php">
    Order deny,allow
    Deny from all
    Allow from 192.168.1.0/24
</Files>

Remove vulnerable file

linux

Delete or rename the vulnerable admin_ip.php file

rm /path/to/seacms/admin_ip.php
mv /path/to/seacms/admin_ip.php /path/to/seacms/admin_ip.php.bak

🧯 If You Can't Patch

Implement strict network segmentation to isolate SeaCMS server
Deploy web application firewall with RCE protection rules

🔍 How to Verify

Check if Vulnerable:

Check if SeaCMS version is 13.3 and admin_ip.php file exists in installation directory

Check Version:

grep -r "SeaCMS" /path/to/seacms/ | grep "version"

Verify Fix Applied:

Verify admin_ip.php file has been removed, renamed, or patched. Test with known exploit to confirm mitigation.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to admin_ip.php
Suspicious command execution patterns in web logs
Multiple failed authentication attempts to admin panel

Network Indicators:

Unusual outbound connections from web server
Traffic patterns indicating command and control communication

SIEM Query:

source="web_logs" AND (url="*admin_ip.php*" AND (method="POST" OR params="*cmd*" OR params="*system*"))

📊 Metadata

CVE ID: CVE-2025-25802

CVSS v3 Score: 5.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N

CWE: CWE-77

EPSS Score: 0.09% exploit probability (25.5th percentile)

Published: February 26, 2025

Last Updated: March 28, 2025

🔗 References

http://seacms.com Product
https://github.com/Ka7arotto/Seacms/blob/main/Seacms13.3-rce-2.md Exploit,Third Party Advisory
https://www.seacms.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-25802, you might also want to check these: