CVE-2025-50286
BaseFortify
Publication date: 2025-08-06
Last updated on: 2025-11-07
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| getgrav | grav | 1.7.48 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an authenticated Remote Code Execution (RCE) flaw in Grav CMS version 1.7.48, specifically in the Admin Plugin version 1.10.48. An authenticated administrator can exploit the 'Direct Install' plugin upload feature at /admin/tools/direct-install by uploading a malicious plugin ZIP file containing arbitrary PHP code. The system automatically extracts and loads this plugin without proper validation, allowing the attacker to execute arbitrary PHP code on the server, including opening a reverse shell. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker with admin access to execute arbitrary PHP code on the server, potentially leading to full system compromise. The attacker can gain reverse shell access as the www-data user, enabling them to run commands remotely, access sensitive data, modify or delete files, and potentially escalate privileges or disrupt services. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized or suspicious plugin uploads via the /admin/tools/direct-install endpoint in the Grav CMS Admin Panel. Specifically, look for plugin ZIP files being uploaded by authenticated admin users. Additionally, you can check for unusual HTTP requests containing commands or reverse shell attempts targeting this endpoint. A practical detection method includes setting up a listener on port 4444 to catch reverse shell connections. Commands to assist detection include using web server logs to grep for POST requests to /admin/tools/direct-install and inspecting uploaded plugin files for suspicious PHP code. For example, on the server, you can run: 1) grep "/admin/tools/direct-install" /var/log/apache2/access.log 2) find the plugin upload directory and inspect recently uploaded ZIP files for PHP files with suspicious content such as shell_exec or system calls. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or disabling the Direct Install plugin upload feature at /admin/tools/direct-install to prevent authenticated admins from uploading plugins without validation. Ensure only trusted administrators have access to the Admin Panel. Apply any available patches or updates from Grav CMS that address this vulnerability. Additionally, monitor and audit plugin uploads and consider implementing web application firewall (WAF) rules to block malicious payloads targeting this endpoint. If possible, disable or remove the vulnerable Admin Plugin version 1.10.48 until a fix is applied. [1]