CVE-2025-48200
📋 TL;DR
This critical vulnerability in the sr_feuser_register TYPO3 extension allows unauthenticated attackers to execute arbitrary code on affected systems. All TYPO3 installations using vulnerable versions of this extension are affected, potentially compromising entire websites and servers.
💻 Affected Systems
- TYPO3 sr_feuser_register extension
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server takeover with attacker gaining full control over the web server, database, and underlying operating system, leading to data theft, ransomware deployment, or use as a botnet node.
Likely Case
Website defacement, data exfiltration, backdoor installation, and lateral movement within the hosting environment.
If Mitigated
Limited impact if proper network segmentation, web application firewalls, and least privilege principles are implemented, though exploitation risk remains high.
🎯 Exploit Status
The vulnerability is in a popular extension with public exploit details available, making automated exploitation highly probable.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 12.4.9 or later
Vendor Advisory: https://typo3.org/security/advisory/typo3-ext-sa-2025-008
Restart Required: No
Instructions:
1. Update the sr_feuser_register extension to version 12.4.9 or later via TYPO3 Extension Manager. 2. Clear all caches in TYPO3 backend. 3. Verify the update was successful.
🔧 Temporary Workarounds
Disable Extension
allTemporarily disable the sr_feuser_register extension until patching is possible
typo3cms extension:deactivate sr_feuser_register
Remove Extension Files
linuxCompletely remove the extension files from the TYPO3 installation
rm -rf typo3conf/ext/sr_feuser_register/
🧯 If You Can't Patch
- Implement strict web application firewall rules to block suspicious POST requests to user registration endpoints
- Isolate affected TYPO3 instances in a segmented network zone with no access to critical systems
🔍 How to Verify
Check if Vulnerable:
Check the extension version in TYPO3 Extension Manager or examine typo3conf/ext/sr_feuser_register/ext_emconf.php for version numberCheck Version:
grep '"version"' typo3conf/ext/sr_feuser_register/ext_emconf.phpVerify Fix Applied:
Confirm sr_feuser_register extension version is 12.4.9 or higher in TYPO3 Extension Manager📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to user registration endpoints
- Unexpected PHP file creation in web directories
- Suspicious system command execution in web server logs
Network Indicators:
- Outbound connections to unknown IPs from web server
- Unusual traffic patterns to/from TYPO3 instance
SIEM Query:
source="web_logs" AND (uri_path="/index.php?eID=sr_feuser_register" OR user_agent CONTAINS "curl" OR user_agent CONTAINS "wget") AND status=200