CVE-2025-15375
Unknown Unknown - Not Provided
Remote Deserialization Vulnerability in EyouCMS arcpagelist Handler

Publication date: 2025-12-31

Last updated on: 2026-04-29

Assigner: VulDB

Description
A flaw has been found in EyouCMS up to 1.7.7. The impacted element is the function unserialize of the file application/api/controller/Ajax.php of the component arcpagelist Handler. Executing a manipulation of the argument attstr can lead to deserialization. The attack can be launched remotely. The exploit has been published and may be used. The vendor is "[a]cknowledging the existence of the vulnerability, we have completed the fix and will release a new version, v1.7.8".
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-31
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-31
EPSS Evaluated
2026-06-15
NVD
CVE-2025-15375
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
thinkphp thinkphp 5.0.24
eyoucms eyoucms 1.7.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-15375 is a critical PHP Object Injection vulnerability in EyouCMS versions up to 1.7.7. It occurs because the application uses PHP's native unserialize() function on data from the ey_arcmulti database table's attstr field without restricting allowed classes, leading to unsafe deserialization. An attacker who can write malicious serialized payloads into this database field (via SQL injection, admin access, or direct database access) can trigger the deserialization when a victim accesses a page using the arcpagelist functionality. This unsafe deserialization can lead to Remote Code Execution (RCE), arbitrary file deletion, or database manipulation by exploiting known gadget chains in ThinkPHP 5.0.24. The vulnerability is located in the file application/api/controller/Ajax.php in the arcpagelist handler. [1, 2, 3]

Impact Analysis

This vulnerability can have severe impacts including Remote Code Execution (RCE), allowing an attacker to execute arbitrary code on the affected system remotely. It can also lead to arbitrary file deletion, arbitrary file write, and database manipulation. These impacts compromise the confidentiality, integrity, and availability of the system. Exploitation requires the attacker to be able to write malicious serialized data into the database and then trigger its deserialization via an AJAX request to the vulnerable endpoint. Successful exploitation can result in critical system compromise and data loss. [1, 2, 3]

Detection Guidance

This vulnerability can be detected by identifying if your system is running EyouCMS version 1.7.7 or earlier and if the vulnerable endpoint `application/api/controller/Ajax.php` with the `arcpagelist` handler is accessible. One method is to use Google dorking with the query `inurl:application/api/controller/Ajax.php` to find potentially vulnerable targets. Additionally, monitoring for AJAX POST requests to the URL pattern `http://target/index.php?m=api&c=Ajax&a=arcpagelist` with suspicious parameters such as `tagid` and `tagidmd5` may help detect exploitation attempts. You can also check the database table `ey_arcmulti` for suspicious or unexpected serialized payloads in the `attstr` field. Example commands for detection might include: 1. Using curl or similar tools to test the endpoint: ```bash curl -X POST 'http://target/index.php?m=api&c=Ajax&a=arcpagelist' -d 'tagid=somevalue&tagidmd5=somevalue' -H 'X-Requested-With: XMLHttpRequest' ``` 2. Searching the database for suspicious serialized data: ```sql SELECT tagid, attstr FROM ey_arcmulti WHERE attstr LIKE '%O:%'; ``` This looks for serialized PHP objects in the `attstr` field. 3. Using Google dorking: ```bash site:targetdomain.com inurl:application/api/controller/Ajax.php ``` [3, 2]

Mitigation Strategies

Immediate mitigation steps include: 1. Upgrade EyouCMS to version 1.7.8 or later, where the vulnerability is fixed. 2. Replace unsafe `unserialize()` calls in the vulnerable code with safer alternatives, such as using a `safe_unserialize()` function or PHP's `unserialize()` with the `allowed_classes` parameter set to false to prevent object instantiation. For example: ```php $attarray = safe_unserialize(stripslashes($arcmultiRow['attstr'])); ``` or ```php $attarray = unserialize(stripslashes($arcmultiRow['attstr']), ['allowed_classes' => false]); ``` 3. Consider replacing serialization with JSON encoding/decoding to avoid unsafe deserialization altogether: store data with `json_encode()` and retrieve with `json_decode()`. 4. Restrict write access to the `ey_arcmulti.attstr` database field to prevent attackers from injecting malicious serialized payloads, including securing against SQL injection and limiting admin/template editing privileges. 5. Monitor and block suspicious AJAX requests targeting the vulnerable endpoint. These steps reduce the risk of exploitation until a full patch is applied. [2]

Compliance Impact

The vulnerability allows remote attackers to execute arbitrary code, delete files, and manipulate data, which can compromise the confidentiality, integrity, and availability of the affected system. Such compromises can lead to violations of common standards and regulations like GDPR and HIPAA, which require protection of personal data and system integrity. However, the provided resources do not explicitly discuss compliance impacts or regulatory consequences. [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15375. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart