CVE-2025-66571
📋 TL;DR
This vulnerability allows remote, unauthenticated attackers to inject arbitrary PHP objects into UNA CMS via the profile_id POST parameter. Successful exploitation could lead to arbitrary PHP code execution, potentially compromising the entire web server. All UNA CMS installations running versions 9.0.0-RC1 through 14.0.0-RC4 are affected.
💻 Affected Systems
- UNA CMS
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise with attacker gaining full control over the web server, data exfiltration, lateral movement, and persistent backdoor installation.
Likely Case
Remote code execution leading to website defacement, data theft, or cryptocurrency mining malware deployment.
If Mitigated
Attack blocked at WAF level or unsuccessful due to hardened PHP configuration.
🎯 Exploit Status
Exploit code is publicly available on Exploit-DB and other sources. The vulnerability requires no authentication and has straightforward exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.0.0-RC5 or later
Vendor Advisory: https://unacms.com
Restart Required: No
Instructions:
1. Backup your UNA CMS installation and database. 2. Download the latest version from the official UNA CMS repository. 3. Replace the vulnerable BxBaseMenuSetAclLevel.php file with the patched version. 4. Verify the fix by checking that unserialize() is no longer called on untrusted input.
🔧 Temporary Workarounds
WAF Rule Implementation
allBlock malicious POST requests containing serialized PHP objects in the profile_id parameter.
ModSecurity rule: SecRule ARGS_POST:profile_id "@rx (O:\d+:|C:\d+:|a:\d+:)" "id:1001,phase:2,deny,status:403,msg:'PHP Object Injection Attempt'"
Cloudflare WAF: Create custom rule blocking requests with PHP serialized patterns in POST body
PHP Configuration Hardening
allDisable dangerous PHP functions and restrict unserialize() usage.
php.ini modification: disable_functions = unserialize
Alternative: Use php.ini setting: unserialize_callback_func = __check_unserialize
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests containing PHP serialized objects in POST parameters
- Restrict access to the vulnerable endpoint using IP whitelisting or authentication requirements
🔍 How to Verify
Check if Vulnerable:
Check if your UNA CMS version is between 9.0.0-RC1 and 14.0.0-RC4 by examining the version file or admin panel. Review BxBaseMenuSetAclLevel.php for unserialize() calls on untrusted POST input.Check Version:
grep -r "UNA_VERSION" /path/to/una/installation/ or check Admin Panel → System → AboutVerify Fix Applied:
Verify that the patched version (14.0.0-RC5+) is installed and that BxBaseMenuSetAclLevel.php no longer passes user-controlled input to unserialize().📡 Detection & Monitoring
Log Indicators:
- POST requests to endpoints containing BxBaseMenuSetAclLevel.php with unusual profile_id values
- Web server error logs showing PHP unserialize errors
- Unusual PHP process execution from web user context
Network Indicators:
- HTTP POST requests containing serialized PHP object patterns (O:8:, C:11:, a:3:)
- Outbound connections from web server to unknown IPs post-exploitation
SIEM Query:
source="web_logs" AND (uri="*BxBaseMenuSetAclLevel.php*" AND method="POST" AND post_data MATCHES "(O:\d+:|C:\d+:|a:\d+:)")