CVE-2025-52353
📋 TL;DR
This vulnerability allows authenticated attackers to upload malicious files containing PHP code to Badaso CMS, bypassing content-type validation. When accessed, these files execute arbitrary system commands, enabling full host compromise. All Badaso CMS 2.9.11 installations with authenticated user access are affected.
💻 Affected Systems
- Badaso CMS
📦 What is this software?
Badaso by Uatech
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with attacker gaining root/admin privileges, data exfiltration, ransomware deployment, and persistent backdoor installation.
Likely Case
Attacker gains shell access to the web server, can read/write files, access databases, and pivot to internal network resources.
If Mitigated
With proper file upload restrictions and web server configuration, impact limited to file system access within web directory only.
🎯 Exploit Status
Exploit involves simple file upload with PHP extension or embedded PHP code. Public proof-of-concept demonstrates embedding backdoor in PDF renamed to .php.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.12 or later
Vendor Advisory: https://github.com/uasoft-indonesia/badaso
Restart Required: No
Instructions:
1. Backup your Badaso installation and database. 2. Update Badaso CMS to version 2.9.12 or later via composer update. 3. Clear application cache. 4. Verify file upload functionality now properly validates file types and extensions.
🔧 Temporary Workarounds
Restrict file upload extensions
allConfigure web server to block execution of uploaded files with PHP extensions
# For Apache: Add to .htaccess in upload directory
<FilesMatch "\.(php|php3|php4|php5|phtml|phar)$">
Order Allow,Deny
Deny from all
</FilesMatch>
# For Nginx: Add to server block
location ~* \.(php|php3|php4|php5|phtml|phar)$ {
deny all;
}
Disable Media Manager upload
allTemporarily disable file upload functionality in Media Manager
# Edit Badaso configuration to disable upload endpoint
# Modify config/badaso.php or relevant middleware
🧯 If You Can't Patch
- Implement strict file upload validation: only allow specific safe extensions (jpg, png, pdf) and validate both MIME type and file signature
- Move upload directory outside web root or configure web server to prevent execution of uploaded files
🔍 How to Verify
Check if Vulnerable:
Test if you can upload a file with .php extension or embed PHP code in allowed file types via Media Manager interfaceCheck Version:
php artisan badaso:versionVerify Fix Applied:
Attempt to upload a test file with PHP code or .php extension - should be rejected. Check Badaso version is 2.9.12+📡 Detection & Monitoring
Log Indicators:
- File uploads with .php extension in web server logs
- Unusual file uploads to Media Manager endpoint
- POST requests to /api/v1/file-upload with PHP content
Network Indicators:
- HTTP POST requests to file upload endpoints with PHP file uploads
- Subsequent requests to uploaded .php files
SIEM Query:
source="web_server.log" (url="*file-upload*" AND (file_extension="php" OR content_type="application/x-php"))