CVE-2025-34076
📋 TL;DR
An authenticated local file inclusion vulnerability in Microweber CMS allows authenticated users to read arbitrary files from the filesystem. Attackers can abuse backup management API endpoints to disclose sensitive system files. This affects Microweber CMS versions 1.2.11 and earlier.
💻 Affected Systems
- Microweber CMS
📦 What is this software?
Microweber by Microweber
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through disclosure of configuration files, database credentials, SSH keys, and other sensitive data, potentially leading to privilege escalation or lateral movement.
Likely Case
Disclosure of sensitive configuration files, user data, or application secrets that could enable further attacks or data breaches.
If Mitigated
Limited impact with proper access controls, but still potential for information disclosure from accessible files.
🎯 Exploit Status
Metasploit module available. Exploitation requires authenticated access but is straightforward once credentials are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.12 or later
Vendor Advisory: https://github.com/microweber/microweber/commit/572bdc36b5b47923790016f6b961c8df53226855
Restart Required: No
Instructions:
1. Update to Microweber CMS version 1.2.12 or later. 2. Apply commits 572bdc3 and 98d0254 if manually patching. 3. Verify the fix by testing the backup API endpoints.
🔧 Temporary Workarounds
Disable Backup API Endpoints
allTemporarily disable the vulnerable backup management API endpoints
# Add to .htaccess or web server config
RewriteRule ^api/BackupV2/(upload|download) - [F,L]
Restrict API Access
allLimit access to backup API endpoints to trusted IP addresses only
# Apache example
<Location /api/BackupV2/>
Require ip 192.168.1.0/24
</Location>
🧯 If You Can't Patch
- Implement strict access controls and limit user privileges to minimize attack surface
- Monitor and audit all access to backup API endpoints for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Test authenticated access to /api/BackupV2/upload endpoint with absolute path in src parameterCheck Version:
Check Microweber version in admin panel or via composer show microweber/microweberVerify Fix Applied:
Attempt exploitation after patching; successful fix should reject absolute paths and restrict file access📡 Detection & Monitoring
Log Indicators:
- Unusual access to backup API endpoints
- Requests with absolute file paths in parameters
- Multiple failed file access attempts
Network Indicators:
- POST requests to /api/BackupV2/upload with src parameter
- GET requests to /api/BackupV2/download with unusual file names
SIEM Query:
source="web_server" AND (uri_path="/api/BackupV2/upload" OR uri_path="/api/BackupV2/download") AND (param_src CONTAINS "/" OR param_src CONTAINS "..")🔗 References
- https://github.com/microweber/microweber
- https://github.com/microweber/microweber/commit/572bdc36b5b47923790016f6b961c8df53226855
- https://github.com/microweber/microweber/commit/98d025467128ecc24195dcb56c533febc3c91af6
- https://huntr.com/bounties/09218d3f-1f6a-48ae-981c-85e86ad5ed8b
- https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/gather/microweber_lfi.rb
- https://vulncheck.com/advisories/microweber-cms-lfi
- https://huntr.com/bounties/09218d3f-1f6a-48ae-981c-85e86ad5ed8b
