CVE-2025-29150 – BlueCMS 1.6 contains an arbitrary file deletion... (How to Fix)

Q: What is the severity of CVE-2025-29150?

CVE-2025-29150 has a CVSS score of 4.3 (MEDIUM). BlueCMS 1.6 contains an arbitrary file deletion vulnerability that allows attackers to delete files on the server via a crafted request to /publish.php. This affects all installations of BlueCMS 1.6 that have the vulnerable publish.php functionality enabled.

📋 TL;DR

BlueCMS 1.6 contains an arbitrary file deletion vulnerability that allows attackers to delete files on the server via a crafted request to /publish.php. This affects all installations of BlueCMS 1.6 that have the vulnerable publish.php functionality enabled.

💻 Affected Systems

Products:

BlueCMS

Versions: 1.6

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with publish.php accessible are vulnerable. No special configuration required.

📦 What is this software?

Bluecms by Bluecms Project

View all CVEs affecting Bluecms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Critical system files could be deleted, causing complete system compromise or service disruption, potentially leading to data loss and extended downtime.

🟠

Likely Case

Attackers delete web application files, configuration files, or user-uploaded content, causing service disruption and requiring restoration from backups.

🟢

If Mitigated

If proper file permissions and input validation are in place, impact is limited to deletion of non-critical files within the web directory.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authentication to access publish.php functionality. The vulnerability is in parameter validation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or apply workarounds.

🔧 Temporary Workarounds

Input Validation for id Parameter

all

Add strict validation to ensure id parameter only contains expected values

Edit publish.php to validate id parameter before processing

Restrict File Deletion Permissions

linux

Set proper file permissions to prevent deletion of critical files

chmod 644 critical_files
chown root:root critical_files

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block malicious requests to /publish.php
Restrict access to publish.php functionality to trusted users only

🔍 How to Verify

Check if Vulnerable:

Check if BlueCMS version is 1.6 and publish.php exists with del functionality

Check Version:

Check BlueCMS configuration files or admin panel for version information

Verify Fix Applied:

Test that crafted requests with malicious id parameters no longer delete files

📡 Detection & Monitoring

Log Indicators:

Multiple DELETE requests to /publish.php with unusual id parameters
File deletion errors in application logs

Network Indicators:

HTTP POST/GET requests to /publish.php?act=del with suspicious parameters

SIEM Query:

source="web_logs" AND uri="/publish.php" AND query="act=del" AND (id CONTAINS "../" OR id CONTAINS "/etc/")

📊 Metadata

CVE ID: CVE-2025-29150

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-20

EPSS Score: 0.3% exploit probability (53.3th percentile)

Published: April 10, 2025

Last Updated: April 15, 2025

🔗 References

https://gist.github.com/electroN1chahaha/054a1af22157aa3010e89b3103ad7b9a Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-29150, you might also want to check these: