CVE-2025-2043
Published: 06 March 2025
Summary
CVE-2025-2043 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Pb-Cms Project Pb-Cms. Its CVSS base score is 4.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CWE-20 improper input validation and CWE-502 deserialization of untrusted data by requiring validation of the Topic Key argument in the Add New Topic Handler.
Ensures timely identification, reporting, and remediation of the critical deserialization flaw in pb-cms 1.0.0 to prevent exploitation.
Boundary protection at web application interfaces can inspect and block remote manipulation of the Topic Key argument targeting the /admin#themes endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The deserialization vulnerability (CWE-502) in the admin web handler of this CMS allows remote exploitation by authenticated high-privilege users via argument manipulation, mapping to exploitation of a public-facing application.
NVD Description
A vulnerability was found in LinZhaoguan pb-cms 1.0.0 and classified as critical. This issue affects some unknown processing of the file /admin#themes of the component Add New Topic Handler. The manipulation of the argument Topic Key leads to deserialization. The…
more
attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-2043 is a vulnerability in LinZhaoguan pb-cms version 1.0.0, classified as critical, that affects unknown processing in the /admin#themes file of the Add New Topic Handler component. The issue stems from manipulation of the Topic Key argument, resulting in deserialization, and is associated with CWE-20 (Improper Input Validation) and CWE-502 (Deserialization of Untrusted Data). It carries a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).
The vulnerability enables remote exploitation by attackers who possess high privileges (PR:H), such as authenticated administrators. Successful attacks can achieve low-level impacts on confidentiality, integrity, and availability through the deserialization flaw.
Advisories from VulDB detail the issue at https://vuldb.com/?ctiid.298787, https://vuldb.com/?id.298787, and https://vuldb.com/?submit.513243, while a GitHub repository at https://github.com/Jingyi-u/Pb-cms2/blob/main/README.md provides additional context. The exploit has been publicly disclosed and may be used.
Details
- CWE(s)