CVE-2025-44071 – SeaCMS v13.3 contains a remote code execution v... (How to Fix)

📋 TL;DR

SeaCMS v13.3 contains a remote code execution vulnerability in phomebak.php that allows attackers to execute arbitrary code via crafted HTTP requests. This affects all SeaCMS v13.3 installations with the vulnerable component accessible. Attackers can compromise the entire web server and underlying system.

💻 Affected Systems

Products:

SeaCMS

Versions: v13.3

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All SeaCMS v13.3 installations with phomebak.php accessible are vulnerable. No special configuration required.

📦 What is this software?

Seacms by Seacms

View all CVEs affecting Seacms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise allowing data theft, malware deployment, lateral movement to internal networks, and persistent backdoor installation.

🟠

Likely Case

Webshell deployment leading to website defacement, data exfiltration, cryptocurrency mining, or ransomware deployment.

🟢

If Mitigated

Limited impact if proper network segmentation, WAF rules, and file integrity monitoring are in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code available on GitHub. Simple HTTP POST request with crafted parameters can trigger RCE.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

1. Check for official SeaCMS patch or update
2. If no patch, upgrade to latest SeaCMS version
3. Remove or restrict access to phomebak.php
4. Apply workarounds immediately

🔧 Temporary Workarounds

Delete vulnerable file

linux

Remove phomebak.php from the SeaCMS installation directory

rm /path/to/seacms/phomebak.php

Restrict file access

all

Block access to phomebak.php via web server configuration

<Location "/phomebak.php">
    Order deny,allow
    Deny from all
</Location>

🧯 If You Can't Patch

Implement strict WAF rules blocking requests to phomebak.php
Deploy network segmentation to isolate SeaCMS server from critical assets

🔍 How to Verify

Check if Vulnerable:

Check if phomebak.php exists in SeaCMS installation directory and is accessible via HTTP

Check Version:

Check SeaCMS version in admin panel or readme files

Verify Fix Applied:

Verify phomebak.php is deleted or returns 403/404 when accessed

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to phomebak.php with suspicious parameters
Unusual process execution from web server user
File creation in web directories with .php extensions

Network Indicators:

Outbound connections from web server to suspicious IPs
Unusual traffic patterns from SeaCMS server

SIEM Query:

source="web_logs" AND uri="/phomebak.php" AND method="POST"

📊 Metadata

CVE ID: CVE-2025-44071

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

EPSS Score: 1.49% exploit probability (80.7th percentile)

Published: May 5, 2025

Last Updated: May 13, 2025

🔗 References

https://github.com/202110420106/CVE/blob/master/seacms/seacms_rce.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-44071, you might also want to check these: