Executive Summary

CVE-2025-15393 is a code injection vulnerability in Kohana KodiCMS versions up to 13.82.135. It exists in the save function of the file cms/modules/kodicms/classes/kodicms/model/file.php, part of the Layout API Endpoint. The vulnerability occurs because the content argument is not properly sanitized, allowing an attacker to inject and execute arbitrary PHP code remotely. An attacker with a valid API key can send a crafted PUT request to the Layout API endpoint to save malicious PHP code as a file in the publicly accessible layouts directory, effectively creating a webshell for remote command execution. This vulnerability is remotely exploitable, has low attack complexity, and is associated with CWE-94 (Improper Neutralization of Directives in Dynamically Evaluated Code). The vendor was notified but did not respond, and no known mitigations exist. [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can severely impact you by allowing an attacker to execute arbitrary PHP code on your server remotely. This can lead to unauthorized access, data theft, system compromise, and disruption of service. The attacker can create a webshell to run system commands, potentially gaining full control over the affected system. Because the vulnerability affects confidentiality, integrity, and availability, it poses a critical risk to your system's security and stability. [1, 2]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by searching for the presence of the vulnerable file path on your system or network, such as `cms/modules/kodicms/classes/kodicms/model/file.php`. You can use Google dorking with the query `inurl:cms/modules/kodicms/classes/kodicms/model/file.php` to identify exposed targets. Additionally, detection involves checking for unauthorized or suspicious PUT requests to the Layout API endpoint (`cms/modules/kodicms/classes/kodicms/controller/api/layout.php`) that may contain malicious payloads. Commands to detect suspicious activity could include monitoring web server logs for PUT requests to the API endpoint, for example using `grep 'PUT /cms/modules/kodicms/classes/kodicms/controller/api/layout.php' /var/log/apache2/access.log` or equivalent for your web server. Also, scanning for unexpected PHP files in the `/layouts/` directory (e.g., `find /path/to/webroot/layouts/ -name '*.php'`) may help identify webshells created by exploitation. [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include replacing or upgrading the affected Kohana KodiCMS product to a version that is not vulnerable, if available. Since no vendor patch or countermeasures exist, it is recommended to disable or restrict access to the Layout API endpoint to prevent authenticated users from exploiting the vulnerability. Limit API key exposure by securing access to the admin panel, configuration files, and databases to prevent attackers from obtaining valid API keys. Monitor and restrict PUT requests to the vulnerable API endpoint. If possible, remove or restrict write permissions to the `/layouts/` directory to prevent malicious file creation. Consider implementing web application firewalls (WAF) rules to block suspicious requests targeting the vulnerable endpoint. Ultimately, replacing the affected product with a secure alternative is advised. [1, 2]

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows remote code injection leading to compromise of confidentiality, integrity, and availability of the system. Such a compromise can result in unauthorized access to sensitive data, potentially violating compliance requirements of standards like GDPR and HIPAA which mandate protection of personal and health information. Since the vulnerability enables attackers to execute arbitrary code and potentially access or manipulate protected data, it poses a significant risk to compliance with these regulations. [1, 2]

Useful 0 Not Useful 0