CVE-2025-4545
📋 TL;DR
This vulnerability allows authenticated attackers to delete arbitrary files on CTCMS Content Management System servers via path traversal in the file deletion function. Attackers can exploit this remotely to delete critical system files, potentially causing service disruption or data loss. All systems running vulnerable versions of CTCMS are affected.
💻 Affected Systems
- CTCMS Content Management System
📦 What is this software?
Ctcms by Ctcms Project
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through deletion of critical operating system files, leading to system crashes, data loss, or enabling further attacks by removing security controls.
Likely Case
Service disruption through deletion of web application files, configuration files, or user data, causing website downtime and potential data loss.
If Mitigated
Limited impact if proper file permissions and access controls prevent deletion of critical files, though application files remain vulnerable.
🎯 Exploit Status
Exploit requires authenticated admin access. Public proof-of-concept demonstrates file deletion via path traversal.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None known
Restart Required: No
Instructions:
No official patch available. Consider upgrading to newer version if available or implementing workarounds.
🔧 Temporary Workarounds
Input Validation for File Parameter
allAdd input validation to the del function in Tpl.php to restrict file paths to intended directories
Modify ctcms/apps/controllers/admin/Tpl.php to validate file parameter against allowed paths
File Permission Restrictions
linuxSet restrictive file permissions on critical system directories to prevent deletion
chmod 755 /var/www/html/ctcms/
chmod 644 /var/www/html/ctcms/*.php
🧯 If You Can't Patch
- Restrict admin panel access to trusted IP addresses only using firewall rules
- Implement web application firewall (WAF) rules to block path traversal patterns in requests
🔍 How to Verify
Check if Vulnerable:
Check if CTCMS version is 2.1.2 by examining version files or admin panel. Review Tpl.php for lack of path validation in del function.Check Version:
Check ctcms/version.txt or admin panel version displayVerify Fix Applied:
Test file deletion functionality with path traversal attempts. Verify input validation prevents directory traversal.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to admin/Tpl.php with 'del' action containing '../' sequences
- File deletion errors in application logs
Network Indicators:
- POST requests to admin/Tpl.php with file parameter containing path traversal patterns
SIEM Query:
source="web_logs" AND uri="*admin/Tpl.php*" AND (params="*del*" AND params="*../*")🔗 References
- https://github.com/xiaoyangsec/ctcms/blob/main/CTCMS_Arbitrary_File_Deletion_Vulnerability_Authenticated.md
- https://vuldb.com/?ctiid.308292
- https://vuldb.com/?id.308292
- https://vuldb.com/?submit.566498
- https://github.com/xiaoyangsec/ctcms/blob/main/CTCMS_Arbitrary_File_Deletion_Vulnerability_Authenticated.md
