CVE-2025-34467 – This vulnerability allows authenticated low-pri... (How to Fix)

Q: What is the severity of CVE-2025-34467?

CVE-2025-34467 has a CVSS score of 4.3 (MEDIUM). This vulnerability allows authenticated low-privilege users to cause denial-of-service against administrative functionality in ZwiiCMS. When such users attempt to access administrative pages, the system incorrectly acquires resource locks that prevent legitimate administrators from using those features until the attacker's session ends. All ZwiiCMS instances running versions before 13.7.00 are affected.

📋 TL;DR

This vulnerability allows authenticated low-privilege users to cause denial-of-service against administrative functionality in ZwiiCMS. When such users attempt to access administrative pages, the system incorrectly acquires resource locks that prevent legitimate administrators from using those features until the attacker's session ends. All ZwiiCMS instances running versions before 13.7.00 are affected.

💻 Affected Systems

Products:

ZwiiCMS

Versions: All versions prior to 13.7.00

Operating Systems: All platforms running ZwiiCMS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access; affects all installations with user accounts.

📦 What is this software?

Zwiicms by Zwiicms

View all CVEs affecting Zwiicms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrative functionality becomes completely unavailable to legitimate administrators, potentially disrupting critical site management operations until all attacker sessions expire or are terminated.

🟠

Likely Case

Targeted administrative features become intermittently unavailable as attackers exploit the vulnerability, causing operational disruptions and requiring session cleanup.

🟢

If Mitigated

With proper session management and monitoring, impact is limited to temporary inconvenience requiring administrator intervention to terminate malicious sessions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated user access but is simple - just navigating to administrative URLs triggers the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 13.7.00

Vendor Advisory: https://codeberg.org/fredtempez/ZwiiCMS/releases/tag/13.7.00

Restart Required: No

Instructions:

1. Download ZwiiCMS 13.7.00 or later from the official repository. 2. Backup your current installation. 3. Replace all files with the new version. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Session Monitoring and Termination

all

Monitor active sessions and terminate suspicious ones to release resource locks

Access Restriction

all

Restrict access to administrative endpoints using web server configuration

# Apache example: SetEnvIf Request_URI "^/admin/" block_admin
# Nginx example: location ~ ^/admin/ { deny all; }

🧯 If You Can't Patch

Implement strict session timeout policies to limit attack duration
Monitor and alert on unusual patterns of 404 responses from authenticated users

🔍 How to Verify

Check if Vulnerable:

Check if version is below 13.7.00 and test if authenticated non-admin users can cause admin page locks

Check Version:

Check ZwiiCMS configuration file or admin panel for version information

Verify Fix Applied:

After updating to 13.7.00+, verify that authenticated non-admin users no longer cause resource locks when accessing admin pages

📡 Detection & Monitoring

Log Indicators:

Multiple 404 responses from authenticated users accessing admin URLs
Admin users reporting access denied to normally accessible functions

Network Indicators:

Increased session duration for non-admin users
Repeated requests to admin endpoints from low-privilege accounts

SIEM Query:

source="web_logs" AND status=404 AND uri CONTAINS "/admin/" AND user_authenticated=true | stats count by user_ip

📊 Metadata

CVE ID: CVE-2025-34467

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-667

EPSS Score: 0.04% exploit probability (11.6th percentile)

Published: December 31, 2025

Last Updated: February 2, 2026

🔗 References

https://codeberg.org/fredtempez/ZwiiCMS/releases/tag/13.7.00 Release Notes
https://github.com/fredtempez/ZwiiCMS Product
https://www.vulncheck.com/advisories/zwiicms-lock-persistence-authenticated-dos-against-administrative-pages Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-34467, you might also want to check these: