CVE-2025-15393
Remote Code Injection in Kohana KodiCMS Layout API Endpoint
Publication date: 2025-12-31
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kohana | kodicms | 13.82.135 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows remote code injection leading to compromise of confidentiality, integrity, and availability of the system. Such a compromise can result in unauthorized access to sensitive data, potentially violating compliance requirements of standards like GDPR and HIPAA which mandate protection of personal and health information. Since the vulnerability enables attackers to execute arbitrary code and potentially access or manipulate protected data, it poses a significant risk to compliance with these regulations. [1, 2]
Can you explain this vulnerability to me?
CVE-2025-15393 is a code injection vulnerability in Kohana KodiCMS versions up to 13.82.135. It exists in the save function of the file cms/modules/kodicms/classes/kodicms/model/file.php, part of the Layout API Endpoint. The vulnerability occurs because the content argument is not properly sanitized, allowing an attacker to inject and execute arbitrary PHP code remotely. An attacker with a valid API key can send a crafted PUT request to the Layout API endpoint to save malicious PHP code as a file in the publicly accessible layouts directory, effectively creating a webshell for remote command execution. This vulnerability is remotely exploitable, has low attack complexity, and is associated with CWE-94 (Improper Neutralization of Directives in Dynamically Evaluated Code). The vendor was notified but did not respond, and no known mitigations exist. [1, 2]
How can this vulnerability impact me? :
This vulnerability can severely impact you by allowing an attacker to execute arbitrary PHP code on your server remotely. This can lead to unauthorized access, data theft, system compromise, and disruption of service. The attacker can create a webshell to run system commands, potentially gaining full control over the affected system. Because the vulnerability affects confidentiality, integrity, and availability, it poses a critical risk to your system's security and stability. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by searching for the presence of the vulnerable file path on your system or network, such as `cms/modules/kodicms/classes/kodicms/model/file.php`. You can use Google dorking with the query `inurl:cms/modules/kodicms/classes/kodicms/model/file.php` to identify exposed targets. Additionally, detection involves checking for unauthorized or suspicious PUT requests to the Layout API endpoint (`cms/modules/kodicms/classes/kodicms/controller/api/layout.php`) that may contain malicious payloads. Commands to detect suspicious activity could include monitoring web server logs for PUT requests to the API endpoint, for example using `grep 'PUT /cms/modules/kodicms/classes/kodicms/controller/api/layout.php' /var/log/apache2/access.log` or equivalent for your web server. Also, scanning for unexpected PHP files in the `/layouts/` directory (e.g., `find /path/to/webroot/layouts/ -name '*.php'`) may help identify webshells created by exploitation. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing or upgrading the affected Kohana KodiCMS product to a version that is not vulnerable, if available. Since no vendor patch or countermeasures exist, it is recommended to disable or restrict access to the Layout API endpoint to prevent authenticated users from exploiting the vulnerability. Limit API key exposure by securing access to the admin panel, configuration files, and databases to prevent attackers from obtaining valid API keys. Monitor and restrict PUT requests to the vulnerable API endpoint. If possible, remove or restrict write permissions to the `/layouts/` directory to prevent malicious file creation. Consider implementing web application firewalls (WAF) rules to block suspicious requests targeting the vulnerable endpoint. Ultimately, replacing the affected product with a secure alternative is advised. [1, 2]