CVE-2025-28091
📋 TL;DR
This SSRF vulnerability in maccms10 allows attackers to make the server send arbitrary HTTP requests to internal or external systems via the 'Add Article' functionality. Attackers can potentially access internal services, scan networks, or interact with cloud metadata APIs. Any system running the vulnerable version of maccms10 is affected.
💻 Affected Systems
- maccms10
📦 What is this software?
Maccms by Maccms
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access cloud metadata services (AWS/Azure/GCP) to steal credentials, pivot to internal networks, or perform data exfiltration from internal-only services.
Likely Case
Attackers scan internal networks, access internal web applications, or interact with local services that shouldn't be exposed externally.
If Mitigated
With proper network segmentation and egress filtering, impact is limited to denial-of-service or limited information disclosure from allowed endpoints.
🎯 Exploit Status
Exploitation requires sending crafted HTTP requests to the vulnerable endpoint. The referenced Chinese documentation suggests exploitation details are publicly available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None known
Restart Required: No
Instructions:
No official patch available. Monitor maccms10 official channels for updates. Consider upgrading to a newer version if available.
🔧 Temporary Workarounds
Input Validation Filter
allAdd server-side validation to reject URLs with internal IP addresses, localhost, or cloud metadata endpoints
Implement URL validation in the 'Add Article' handler to check for allowed domains only
Network Egress Filtering
linuxRestrict outbound HTTP/HTTPS traffic from the web server to only necessary external services
iptables -A OUTPUT -p tcp --dport 80 -j DROP
iptables -A OUTPUT -p tcp --dport 443 -j DROP
iptables -A OUTPUT -p tcp --dport 80 -d allowed-domain.com -j ACCEPT
🧯 If You Can't Patch
- Disable or restrict access to the 'Add Article' functionality
- Implement a web application firewall (WAF) with SSRF protection rules
🔍 How to Verify
Check if Vulnerable:
Test if the 'Add Article' functionality accepts URLs pointing to internal services (like http://127.0.0.1:8080) or cloud metadata endpointsCheck Version:
Check maccms10 configuration files or admin panel for version informationVerify Fix Applied:
Verify that URL validation rejects internal IPs, localhost, and cloud metadata domains📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from web server to internal IPs
- Requests to cloud metadata endpoints from web application
- Multiple failed connection attempts to various internal ports
Network Indicators:
- Web server making unexpected HTTP requests to internal network segments
- Traffic to known cloud metadata IPs (169.254.169.254 for AWS)
SIEM Query:
source="web_server_logs" AND (url="*127.0.0.1*" OR url="*localhost*" OR url="*169.254.169.254*" OR url="*metadata.google.internal*")