Login Sign Up

CVE-2025-4541

6.3 MEDIUM
SQL Injection

📋 TL;DR

This critical SQL injection vulnerability in LmxCMS 1.41 allows remote attackers to execute arbitrary SQL commands via the 'sortid' parameter in POST requests to the manageZt function. Attackers can potentially read, modify, or delete database content. All users running LmxCMS 1.41 with the vulnerable component are affected.

💻 Affected Systems

Products:
  • LmxCMS
Versions: 1.41
Operating Systems: all
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations with the admin/ZtAction.class.php component accessible.

📦 What is this software?

Lmxcms by Lmxcms

View all CVEs affecting Lmxcms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, privilege escalation to admin access, and potential remote code execution if database functions allow it.

🟠

Likely Case

Unauthorized data access, data manipulation, and potential authentication bypass leading to administrative control of the CMS.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only allowing data viewing without modification.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires access to the admin interface but does not require authentication to the vulnerable function specifically. Public proof-of-concept available on GitHub.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: none

Vendor Advisory: none

Restart Required: No

Instructions:

No official patch available. Vendor did not respond to disclosure. Consider migrating to alternative CMS or implementing workarounds.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize the sortid parameter before processing

Modify c/admin/ZtAction.class.php to add: $sortid = intval($_POST['sortid']); before using the parameter in SQL queries

WAF Rule

all

Implement web application firewall rules to block SQL injection patterns in POST requests

Add WAF rule to detect and block SQL injection patterns in sortid parameter

🧯 If You Can't Patch

  • Restrict network access to the admin interface using IP whitelisting
  • Implement database user with minimal permissions (read-only if possible)

🔍 How to Verify

Check if Vulnerable:

Check if file c/admin/ZtAction.class.php exists and contains unsanitized sortid parameter usage in SQL queries

Check Version:

Check CMS version in configuration files or admin panel

Verify Fix Applied:

Test with SQL injection payloads in sortid parameter; successful fix should return error or no database manipulation

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple POST requests to admin/ZtAction.class.php with SQL-like patterns in parameters

Network Indicators:

  • POST requests containing SQL keywords (UNION, SELECT, etc.) in sortid parameter

SIEM Query:

source="web_logs" AND uri="*ZtAction.class.php*" AND (param="*sortid*UNION*" OR param="*sortid*SELECT*")

📊 Metadata

CVE ID: CVE-2025-4541
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
EPSS Score: 0.07% exploit probability (21.5th percentile)
Published: May 11, 2025
Last Updated: June 12, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-4541, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)