CRITICAL🇵🇱 Wersja polska

CVE-2025-44071

CVSS 9.8v3.1pub. 2025-05-05upd. 2025-05-13

SeaCMS v13.3 was discovered to contain a remote code execution (RCE) vulnerability via the component phomebak.php. This vulnerability allows attackers to execute arbitrary code via a crafted request.

🤖 AI Analysis
How it works

The vulnerability results from unsafe input data processing in the phomebak.php component, classified as CWE-94 (improper control of code generation). An attacker can send a specially crafted HTTP request to the vulnerable endpoint, which leads to arbitrary code execution on the server side. The attack vector is network-based, requires no privileges or user interaction, making the vulnerability particularly dangerous.

Impact

Successful exploitation of the vulnerability allows an attacker to gain full control over the server — read, modify and delete data, install malicious software, and potentially perform lateral movement within the internal network.

Mitigation & patch

Apply patches available from the vendor according to the references. Until the update is applied, it is recommended to restrict access to the vulnerable phomebak.php component at the firewall or web server level and monitor suspicious HTTP requests directed to this endpoint.

Who is affected

SeaCMS version 13.3

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Seacms

    APP
    Seacms
    13.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2025-44073CRITICAL9.8PL ✓ten sam produkt

SQL injection w SeaCMS v13.3 — komponent admin_comment_news.php

CVE-2025-44074CRITICAL9.8PL ✓ten sam produkt

SQL injection w SeaCMS v13.3 — komponent admin_topic.php

CVE-2025-44072CRITICAL9.8PL ✓ten sam produkt

SQL injection w SeaCMS v13.3 — komponent admin_manager.php

CVE-2025-29647CRITICAL9.8PL ✓ten sam produkt

SQL injection w SeaCMS v13.3 — komponent admin_tempvideo.php

CVE-2025-25520CRITICAL9.8PL ✓ten sam produkt

SQL Injection w SeaCMS — podatny plik admin_pay.php