CVE-2025-57439 – CVE-2025-57439 is a critical remote code execut... (How to Fix)

Q: What is the severity of CVE-2025-57439?

CVE-2025-57439 has a CVSS score of 8.8 (HIGH). CVE-2025-57439 is a critical remote code execution vulnerability in Creacast Creabox Manager 4.4.4 where authenticated attackers can inject arbitrary Lua code via the edit.php endpoint. This allows complete server compromise including reverse shell execution and arbitrary command execution. Organizations using Creabox Manager 4.4.4 are affected.

📋 TL;DR

CVE-2025-57439 is a critical remote code execution vulnerability in Creacast Creabox Manager 4.4.4 where authenticated attackers can inject arbitrary Lua code via the edit.php endpoint. This allows complete server compromise including reverse shell execution and arbitrary command execution. Organizations using Creabox Manager 4.4.4 are affected.

💻 Affected Systems

Products:

Creacast Creabox Manager

Versions: 4.4.4

Operating Systems: Any OS running Creabox Manager

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to the edit.php endpoint, but default installations likely have user accounts that could be compromised or guessed.

📦 What is this software?

Creabox Manager by Creacast

View all CVEs affecting Creabox Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise leading to data theft, ransomware deployment, lateral movement within the network, and persistent backdoor installation.

🟠

Likely Case

Attacker gains shell access to the server, exfiltrates sensitive data, and potentially compromises other systems on the same network.

🟢

If Mitigated

Limited impact if network segmentation, strict access controls, and monitoring prevent lateral movement and data exfiltration.

🌐 Internet-Facing: HIGH - The edit.php endpoint is accessible over the network, making internet-facing instances immediately vulnerable to exploitation.

🏢 Internal Only: HIGH - Even internally accessible instances are vulnerable to authenticated attackers, including compromised accounts or insider threats.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authentication but is straightforward once credentials are obtained. Public proof-of-concept code exists in the referenced GitHub repository.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: http://www.creacast.com/

Restart Required: No

Instructions:

1. Check vendor website for security updates. 2. If patch is released, download and apply it according to vendor instructions. 3. Verify the fix by testing the edit.php endpoint.

🔧 Temporary Workarounds

Block edit.php endpoint

all

Restrict access to the vulnerable endpoint using web server configuration or firewall rules.

# Apache: RewriteRule ^edit\.php$ - [F]
# Nginx: location ~ ^/edit\.php$ { deny all; }
# Firewall: iptables -A INPUT -p tcp --dport 80 -m string --string "edit.php" --algo bm -j DROP

Implement strict authentication controls

all

Enforce strong passwords, multi-factor authentication, and limit login attempts to reduce credential compromise risk.

# Implement MFA if supported
# Set strong password policy: min length 12, complexity required
# Configure fail2ban or similar for login attempts

🧯 If You Can't Patch

Isolate the Creabox Manager system in a restricted network segment with no internet access.
Implement application-level input validation to sanitize Lua code in configuration inputs.

🔍 How to Verify

Check if Vulnerable:

Check if Creabox Manager version is 4.4.4 and if edit.php endpoint accepts Lua code injection in configuration parameters.

Check Version:

Check the application interface or configuration files for version information; specific command depends on installation.

Verify Fix Applied:

Test if Lua code injection via edit.php no longer executes on the server after applying patches or workarounds.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to edit.php with Lua code patterns
Unexpected process execution from web server user
Authentication logs showing brute force attempts

Network Indicators:

Outbound connections from web server to unknown IPs (reverse shells)
Unusual traffic patterns to/from Creabox Manager port

SIEM Query:

source="web_logs" AND uri="/edit.php" AND (body="os.execute" OR body="io.popen" OR body="loadstring")

📊 Metadata

CVE ID: CVE-2025-57439

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-94

EPSS Score: 0.3% exploit probability (52.5th percentile)

Published: September 22, 2025

Last Updated: October 17, 2025

🔗 References

http://www.creacast.com/ Product
https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-57439 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-57439, you might also want to check these: