CVE-2025-15250
Remote Code Injection in 08CMS Template Handler (admina/mtpls.inc.php
Publication date: 2025-12-30
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| 08cms | novel_system | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the 08CMS Novel System up to version 3.4, specifically in the file admina/mtpls.inc.php within the Template Handler component. It allows an attacker to perform code injection remotely by manipulating the processing of this file. The vulnerability has been publicly disclosed and can be exploited.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized code execution on the affected system, potentially allowing an attacker to compromise the system's integrity, confidentiality, and availability. This could result in data breaches, system manipulation, or denial of service.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking for the presence of unauthorized PHP files uploaded via the CMS template system, especially files like 'hkey.php' in the template directories. Additionally, monitoring HTTP requests for suspicious parameters such as '?pass=' executing PHP code can indicate exploitation attempts. Commands to help detect this include: 1) Searching for recently modified or suspicious PHP files in the template directories, e.g., `find /path/to/08cms/template/ -name '*.php' -exec ls -l {} \;` 2) Using web server logs to grep for requests containing suspicious parameters, e.g., `grep 'pass=' /var/log/apache2/access.log` or `grep 'pass=' /var/log/nginx/access.log` 3) Checking for the presence of the vulnerable function usage or suspicious file writes in the codebase, though this is more static analysis. These steps help identify if the backdoor or malicious code injection has occurred. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Restricting or disabling the ability to upload or modify template files via the CMS interface until a patch is applied. 2) Removing any suspicious or unauthorized PHP files found in the template directories, such as 'hkey.php'. 3) Applying strict input validation and sanitization on file names and contents in the CMS code, especially in the 'str2file' function. 4) Updating the 08CMS system to a version where this vulnerability is fixed, if available. 5) Monitoring and blocking suspicious HTTP requests that attempt to exploit this vulnerability. 6) Limiting permissions of the web server user to prevent unauthorized file writes. These steps reduce the risk of exploitation and limit the impact if an attacker attempts to use this vulnerability. [1]