CVE-2025-15130
Remote Code Injection in shanyu SyCms Admin Panel (addPost
Publication date: 2025-12-28
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| shanyu | sycms | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the addPost function of the FileManageController in the administrative panel of shanyu SyCms. It allows an attacker to perform code injection remotely, meaning they can insert and execute malicious code on the affected system. The vulnerability affects versions up to a specific commit and only impacts unsupported versions of the product.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized code execution on the affected system, potentially allowing attackers to manipulate, damage, or take control of the system remotely. This can result in data loss, service disruption, or further compromise of the environment.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by searching for the presence of the vulnerable file path or by identifying suspicious HTTP POST requests targeting the addPost function in the FileManageController. One detection method is to look for HTTP POST requests to the endpoint /Admin/FileManage/add with parameters such as 'path', 'title', and 'content' that may indicate arbitrary file writes. Additionally, Google dorking can be used to find exposed instances by searching for URLs containing the file path Application/Admin/Controller/FileManageController.class.php. A sample command to detect suspicious POST requests in web server logs could be: grep -i '/Admin/FileManage/add' /var/log/apache2/access.log or using a network monitoring tool to filter HTTP POST requests to that endpoint. Monitoring for unexpected PHP files created in directories like Runtime/ can also help detect exploitation attempts. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or restricting access to the administrative panel, especially the file upload functionality in the FileManageController. Since no patches or countermeasures are available and the product is no longer supported, it is recommended to replace SyCms with an alternative content management system. Additionally, ensure that only trusted and authenticated administrative users have access, and monitor for any suspicious file creations or modifications on the server. Applying strict access controls and network segmentation to limit exposure of the administrative interface can also reduce risk. [1, 2]