Can you explain this vulnerability to me?

CVE-2025-15394 is a critical Remote Code Execution (RCE) vulnerability in iCMS versions up to 8.0.0. It exists in the save() function of the ConfigAdmincp class (file app/config/ConfigAdmincp.php). The vulnerability arises because the saveCall POST parameter, which specifies function names to be called, is accepted directly from authenticated administrators without validation or sanitization. This allows an attacker with valid administrator credentials and session to execute arbitrary PHP functions remotely by manipulating the config and saveCall POST parameters. Although CSRF protection exists, it does not prevent attacks from authenticated users, meaning an attacker must have admin access or trick an admin into submitting malicious requests. [1, 2, 3]

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can lead to full server compromise by allowing an attacker to execute arbitrary PHP functions remotely. Exploitation can result in arbitrary command execution, file system manipulation (such as creating or uploading files including webshells), data breaches, and potential lateral movement within internal networks. The attacker needs valid administrator credentials and session, but once exploited, it impacts confidentiality, integrity, and availability of the affected system. [1, 2, 3]

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by identifying the presence of the vulnerable file `app/config/ConfigAdmincp.php` in iCMS installations up to version 8.0.0. One method is using Google dorking with the query `inurl:app/config/ConfigAdmincp.php` to find potentially vulnerable targets. On your network or system, you can check for the existence of this file and the iCMS version. Additionally, monitoring POST requests to `/admincp.php/config/system` with parameters like `saveCall` and `config` may indicate exploitation attempts. Specific commands to detect the vulnerable file or endpoints include: 1. Using `find` or `grep` on the server to locate the file, e.g., `find /var/www -name ConfigAdmincp.php` 2. Using curl or similar tools to test the endpoint, e.g., `curl -I http://yourserver/admincp.php/config/system` 3. Searching web server logs for POST requests containing `saveCall` or suspicious parameters. However, no direct detection commands for exploit attempts are provided. [3, 2]

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include: 1. Restrict access to the admin backend (`/admincp.php`) to trusted IP addresses or VPNs to prevent unauthorized access. 2. Ensure that only trusted administrators have access and educate them about the risk of CSRF attacks. 3. Implement a strict whitelist of allowed callback functions in the `save()` method to prevent arbitrary function execution, as the vulnerability arises from accepting unsanitized function names via the `saveCall` POST parameter. 4. Monitor and block suspicious POST requests containing `saveCall` or `config` parameters. 5. Since no official patch or vendor response is available, consider replacing iCMS with an alternative product or applying custom code fixes to sanitize inputs and restrict callable functions. 6. Invalidate and rotate administrator session cookies and CSRF tokens if compromise is suspected. [2, 3]

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0