Cyber Resilience

CVE-2025-11138

LowPublic PoC

Published: 29 September 2025

Published
29 September 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0069 72.4th percentile
Risk Priority 5 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11138 is a low-severity Command Injection (CWE-77) vulnerability in Wenkucms Project Wenkucms. Its CVSS base score is 2.1 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 27.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-11138 is an OS command injection vulnerability (CWE-77, CWE-78) in mirweiye wenkucms versions up to 3.4. The flaw affects the createPathOne function in the file app/common/common.php, where manipulation enables command injection. Published on 2025-09-29, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

An attacker with low privileges, such as an authenticated user, can exploit this remotely with low complexity and no user interaction required. Successful exploitation allows limited impacts on confidentiality, integrity, and availability via OS command execution.

Advisories referenced in VulDB entries (ctiid.326215, id.326215, submit.657055) and a GitHub issue (electroN1chahaha/wenkucms-RCE/issues/1) confirm the remote attack vector. The exploit has been made public and could be used. No specific patch or mitigation details are detailed in the available information.

EU & UK References

Vulnerability details

A vulnerability was found in mirweiye wenkucms up to 3.4. This impacts the function createPathOne of the file app/common/common.php. The manipulation results in os command injection. The attack may be launched remotely. The exploit has been made public and could…

more

be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
Why these techniques?

OS command injection in public-facing web app (wenkucms) allows remote authenticated RCE via Unix shell (bash reverse shell PoC), mapping to Unix Shell execution, exploitation of public-facing application, and indirect command execution as noted in advisory.

CVEs Like This One

CVE-2025-7414Shared CWE-77, CWE-78
CVE-2025-8828Shared CWE-77, CWE-78
CVE-2025-10327Shared CWE-77, CWE-78
CVE-2025-14586Shared CWE-77, CWE-78
CVE-2025-9026Shared CWE-77, CWE-78
CVE-2025-10326Shared CWE-77, CWE-78
CVE-2025-10328Shared CWE-77, CWE-78
CVE-2025-8829Shared CWE-77, CWE-78
CVE-2025-8259Shared CWE-77, CWE-78
CVE-2025-9575Shared CWE-77, CWE-78

Affected Assets

wenkucms project
wenkucms
3.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted input to the createPathOne function, blocking the OS command injection vector described in the CVE.

prevent

Enforces least privilege on the web application process and authenticated users, limiting the scope of commands that can be executed even if injection succeeds.

detect

Enables monitoring of system calls and command execution patterns that would reveal the remote command injection attempts against common.php.

References