CVE-2025-65657
📋 TL;DR
CVE-2025-65657 is a remote code execution vulnerability in FeehiCMS version 2.1.1 that allows authenticated attackers to upload malicious PHP files through the Ad Management feature. This vulnerability enables attackers to execute arbitrary code on the server, potentially compromising the entire system. Only FeehiCMS 2.1.1 installations with authenticated user access are affected.
💻 Affected Systems
- FeehiCMS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise leading to data theft, ransomware deployment, lateral movement within the network, and persistent backdoor installation.
Likely Case
Webshell installation allowing file system access, data exfiltration, and further exploitation of the server and connected systems.
If Mitigated
Limited impact with proper file upload restrictions, web application firewalls, and network segmentation preventing successful exploitation.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained. Public proof-of-concept exists in GitHub repositories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://github.com/liufee/cms/issues/78
Restart Required: No
Instructions:
No official patch available. Upgrade to a newer version if available, or implement workarounds. Monitor the GitHub issue for official fixes.
🔧 Temporary Workarounds
Restrict File Upload Types
allConfigure web server or application to only allow specific non-executable file types (jpg, png, pdf, txt) and block PHP files.
# Apache: Add to .htaccess
<FilesMatch "\.(php|php3|php4|php5|phtml|pl|cgi|exe|dll|bat|cmd|com|vbs|vbe|js|jse|wsf|wsh|msc|sh|bash|dmg|app|jar|pif|scr|reg|cpl|msi|msp|hta|vb|vbs|ws|wsc|wsh)$">
Order Allow,Deny
Deny from all
</FilesMatch>
# Nginx: Add to server block
location ~ \.(php|php3|php4|php5|phtml|pl|cgi|exe|dll|bat|cmd|com|vbs|vbe|js|jse|wsf|wsh|msc|sh|bash|dmg|app|jar|pif|scr|reg|cpl|msi|msp|hta|vb|vbs|ws|wsc|wsh)$ {
deny all;
}
Disable Ad Management Feature
linuxTemporarily disable or restrict access to the vulnerable Ad Management module until a proper fix is available.
# Remove or rename the Ad Management directory
mv /path/to/feehicms/admin/ad_management /path/to/feehicms/admin/ad_management.disabled
# Or modify permissions
chmod 000 /path/to/feehicms/admin/ad_management
🧯 If You Can't Patch
- Implement strict file upload validation in the application code to only allow specific file extensions and MIME types.
- Deploy a web application firewall (WAF) with rules to block PHP file uploads and suspicious POST requests to upload endpoints.
🔍 How to Verify
Check if Vulnerable:
Check if FeehiCMS version is 2.1.1 by examining the version file or admin panel. Test authenticated file upload functionality in Ad Management with a PHP file.Check Version:
grep -r "version" /path/to/feehicms/ | grep -i "2.1.1"Verify Fix Applied:
Attempt to upload a PHP file through the Ad Management feature after implementing workarounds. Verify the file is blocked or saved with non-executable permissions.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads with .php extension in web server logs
- POST requests to /admin/ad_management/upload endpoints with PHP files
- Multiple failed upload attempts followed by successful PHP file upload
Network Indicators:
- HTTP POST requests containing PHP code in body to upload endpoints
- Subsequent connections to uploaded PHP files from unusual IP addresses
SIEM Query:
source="web_server_logs" AND (uri_path="/admin/ad_management/upload" OR file_extension=".php") AND http_method="POST"