CVE-2025-15375
Remote Deserialization Vulnerability in EyouCMS arcpagelist Handler
Publication date: 2025-12-31
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| thinkphp | thinkphp | 5.0.24 |
| eyoucms | eyoucms | 1.7.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-15375 is a critical PHP Object Injection vulnerability in EyouCMS versions up to 1.7.7. It occurs because the application uses PHP's native unserialize() function on data from the ey_arcmulti database table's attstr field without restricting allowed classes, leading to unsafe deserialization. An attacker who can write malicious serialized payloads into this database field (via SQL injection, admin access, or direct database access) can trigger the deserialization when a victim accesses a page using the arcpagelist functionality. This unsafe deserialization can lead to Remote Code Execution (RCE), arbitrary file deletion, or database manipulation by exploiting known gadget chains in ThinkPHP 5.0.24. The vulnerability is located in the file application/api/controller/Ajax.php in the arcpagelist handler. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including Remote Code Execution (RCE), allowing an attacker to execute arbitrary code on the affected system remotely. It can also lead to arbitrary file deletion, arbitrary file write, and database manipulation. These impacts compromise the confidentiality, integrity, and availability of the system. Exploitation requires the attacker to be able to write malicious serialized data into the database and then trigger its deserialization via an AJAX request to the vulnerable endpoint. Successful exploitation can result in critical system compromise and data loss. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if your system is running EyouCMS version 1.7.7 or earlier and if the vulnerable endpoint `application/api/controller/Ajax.php` with the `arcpagelist` handler is accessible. One method is to use Google dorking with the query `inurl:application/api/controller/Ajax.php` to find potentially vulnerable targets. Additionally, monitoring for AJAX POST requests to the URL pattern `http://target/index.php?m=api&c=Ajax&a=arcpagelist` with suspicious parameters such as `tagid` and `tagidmd5` may help detect exploitation attempts. You can also check the database table `ey_arcmulti` for suspicious or unexpected serialized payloads in the `attstr` field. Example commands for detection might include: 1. Using curl or similar tools to test the endpoint: ```bash curl -X POST 'http://target/index.php?m=api&c=Ajax&a=arcpagelist' -d 'tagid=somevalue&tagidmd5=somevalue' -H 'X-Requested-With: XMLHttpRequest' ``` 2. Searching the database for suspicious serialized data: ```sql SELECT tagid, attstr FROM ey_arcmulti WHERE attstr LIKE '%O:%'; ``` This looks for serialized PHP objects in the `attstr` field. 3. Using Google dorking: ```bash site:targetdomain.com inurl:application/api/controller/Ajax.php ``` [3, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Upgrade EyouCMS to version 1.7.8 or later, where the vulnerability is fixed. 2. Replace unsafe `unserialize()` calls in the vulnerable code with safer alternatives, such as using a `safe_unserialize()` function or PHP's `unserialize()` with the `allowed_classes` parameter set to false to prevent object instantiation. For example: ```php $attarray = safe_unserialize(stripslashes($arcmultiRow['attstr'])); ``` or ```php $attarray = unserialize(stripslashes($arcmultiRow['attstr']), ['allowed_classes' => false]); ``` 3. Consider replacing serialization with JSON encoding/decoding to avoid unsafe deserialization altogether: store data with `json_encode()` and retrieve with `json_decode()`. 4. Restrict write access to the `ey_arcmulti.attstr` database field to prevent attackers from injecting malicious serialized payloads, including securing against SQL injection and limiting admin/template editing privileges. 5. Monitor and block suspicious AJAX requests targeting the vulnerable endpoint. These steps reduce the risk of exploitation until a full patch is applied. [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows remote attackers to execute arbitrary code, delete files, and manipulate data, which can compromise the confidentiality, integrity, and availability of the affected system. Such compromises can lead to violations of common standards and regulations like GDPR and HIPAA, which require protection of personal data and system integrity. However, the provided resources do not explicitly discuss compliance impacts or regulatory consequences. [2, 3]