Login Sign Up

CVE-2025-3735

5.9 MEDIUM

📋 TL;DR

This vulnerability affects the obsolete Drupal Panelizer module, allowing attackers to exploit unspecified security flaws. All versions of Panelizer are affected, putting Drupal sites using this deprecated module at risk.

💻 Affected Systems

Products:
  • Drupal Panelizer module
Versions: All versions
Operating Systems: All operating systems running Drupal
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects sites using the obsolete Panelizer module. Panelizer was deprecated and replaced by Layout Builder in Drupal core.

📦 What is this software?

Panelizer \(obsolete\) by Panelizer \(obsolete\) Project

View all CVEs affecting Panelizer \(obsolete\) →

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Drupal site through remote code execution or administrative access

🟠

Likely Case

Unauthorized content modification, privilege escalation, or data exposure

🟢

If Mitigated

Limited impact if module is disabled or site has strong access controls

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Specific exploitation details are not publicly disclosed in the advisory. Attackers would need to understand the vulnerability to exploit it.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: https://www.drupal.org/sa-contrib-2025-036

Restart Required: No

Instructions:

1. Remove the Panelizer module entirely from your Drupal installation. 2. Migrate any Panelizer configurations to Drupal's Layout Builder. 3. Update Drupal core to latest version.

🔧 Temporary Workarounds

Disable Panelizer module

all

Immediately disable the Panelizer module to prevent exploitation

drush pm-disable panelizer
drush cr

Remove module files

linux

Completely remove Panelizer module files from the server

rm -rf /path/to/drupal/modules/contrib/panelizer

🧯 If You Can't Patch

  • Implement strict access controls and monitor for suspicious activity
  • Use web application firewall rules to block Panelizer-related requests

🔍 How to Verify

Check if Vulnerable:

Check if Panelizer module is enabled in Drupal admin or via drush: drush pm-list | grep panelizer

Check Version:

drush pm-list --format=json | jq '.panelizer.version'

Verify Fix Applied:

Confirm Panelizer module is not listed in enabled modules: drush pm-list --status=enabled

📡 Detection & Monitoring

Log Indicators:

  • Unusual requests to Panelizer endpoints
  • Unauthorized access attempts to panelizer-related URLs

Network Indicators:

  • Traffic patterns targeting /panelizer/ paths
  • Unexpected POST requests to Panelizer forms

SIEM Query:

web_access_logs WHERE url CONTAINS 'panelizer' AND (status_code = 200 OR status_code = 403)

📊 Metadata

CVE ID: CVE-2025-3735
CVSS v3 Score: 5.9 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
EPSS Score: 0.21% exploit probability (43.5th percentile)
Published: April 16, 2025
Last Updated: September 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON