Login Sign Up

CVE-2025-63738

4.3 MEDIUM

📋 TL;DR

This vulnerability in Xinhu Rainrock RockOA 2.7.0 allows attackers to access sensitive system information through the phpinfo() function by manipulating the 'a' parameter in index.php. This affects all deployments of RockOA 2.7.0 that have the vulnerable file accessible. Attackers can exploit this without authentication to gather system configuration details.

💻 Affected Systems

Products:
  • Xinhu Rainrock RockOA
Versions: 2.7.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all installations of RockOA 2.7.0 with index.php accessible. No special configuration required.

📦 What is this software?

Rockoa by Rockoa

View all CVEs affecting Rockoa →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain full PHP configuration, environment variables, database credentials, and system paths, enabling further attacks like credential theft, privilege escalation, or targeted exploitation.

🟠

Likely Case

Attackers gather system information including PHP settings, installed extensions, server paths, and potentially sensitive configuration details that could aid in reconnaissance for additional attacks.

🟢

If Mitigated

Limited information disclosure with no direct system compromise, though it still provides attackers with valuable reconnaissance data.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple HTTP request manipulation required. The GitHub issue shows exploitation details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://github.com/rainrocka/xinhu/issues/11

Restart Required: No

Instructions:

1. Monitor the GitHub repository for patches. 2. Apply any available updates. 3. Remove or restrict access to phpinfo() functionality.

🔧 Temporary Workarounds

Restrict access to index.php with vulnerable parameter

all

Implement web server rules to block requests containing the vulnerable 'a' parameter pattern

# For Apache: RewriteEngine On
RewriteCond %{QUERY_STRING} a=phpinfo [NC]
RewriteRule ^index\.php$ - [F,L]
# For Nginx: location ~* ^/index\.php$ { if ($arg_a ~* phpinfo) { return 403; } }

Disable phpinfo function

all

Prevent phpinfo() from executing via PHP configuration

# Add to php.ini: disable_functions = phpinfo

🧯 If You Can't Patch

  • Implement strict input validation for the 'a' parameter in index.php
  • Deploy WAF rules to block requests attempting to access phpinfo()

🔍 How to Verify

Check if Vulnerable:

Access http://[target]/index.php?a=phpinfo and check if phpinfo output appears

Check Version:

Check RockOA version in admin panel or configuration files

Verify Fix Applied:

Attempt the same request and verify phpinfo output is blocked or returns error

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests to index.php with 'a=phpinfo' parameter
  • Unusual access patterns to index.php

Network Indicators:

  • HTTP GET requests containing 'a=phpinfo' in query string

SIEM Query:

http.url:*index.php* AND http.query:a=phpinfo

📊 Metadata

CVE ID: CVE-2025-63738
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-98
EPSS Score: 0.03% exploit probability (9.1th percentile)
Published: December 9, 2025
Last Updated: December 12, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63738, you might also want to check these:

CVE-2025-25174 10.0

This CVE describes a PHP Local File Inclusion vulnerability in the BeeTeam368 Extensions WordPress p...

Same vulnerability type (CWE-98)
CVE-2025-49994 9.8

This vulnerability allows attackers to include local files on the server through improper filename c...

Same vulnerability type (CWE-98)
CVE-2025-50003 9.8

This vulnerability allows attackers to include local PHP files through improper filename control in ...

Same vulnerability type (CWE-98)