Cyber Resilience

CVE-2025-22204

CriticalRCE

Published: 04 February 2025

Published
04 February 2025
Modified
04 June 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0748 92.0th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22204 is a critical-severity Code Injection (CWE-94) vulnerability in Regularlabs Sourcerer. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is an instance of improper control of code generation, tracked as CWE-94, that affects the Sourcerer extension for Joomla in all versions prior to 11.0.0. The flaw received a CVSS 3.1 base score of 9.8, reflecting network-accessible attack vectors that require no authentication or user interaction and result in complete loss of confidentiality, integrity, and availability.

An unauthenticated attacker with network reachability can supply crafted input that causes the extension to generate and execute arbitrary PHP code on the underlying Joomla server, thereby achieving remote code execution and full control of the affected site and its data.

The sole reference points to the vendor site regularlabs.com/sourcerer, which distributes version 11.0.0 that resolves the issue; administrators should upgrade the extension to that release or later. The associated EPSS score has remained flat at 0.0748 with no observed increase since publication.

EU & UK References

Vulnerability details

Improper control of generation of code in the sourcerer extension for Joomla in versions before 11.0.0 lead to a remote code execution vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CVE describes a remote code execution vulnerability in a public-facing Joomla extension that can be exploited by unauthenticated attackers over the network, directly mapping to exploitation of public-facing applications for initial access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-13773Shared CWE-94
CVE-2025-50692Shared CWE-94
CVE-2026-30643Shared CWE-94
CVE-2026-30460Shared CWE-94
CVE-2025-71243Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2024-13792Shared CWE-94
CVE-2020-37052Shared CWE-94
CVE-2026-42555Shared CWE-94
CVE-2025-65037Shared CWE-94

Affected Assets

regularlabs
sourcerer
≤ 11.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely flaw remediation, directly addressing this RCE vulnerability by mandating upgrades to Sourcerer extension version 11.0.0 or later.

prevent

SI-10 enforces input validation to mitigate code injection (CWE-94) from improper code generation control in the Sourcerer extension.

detect

RA-5 enables vulnerability scanning to identify the outdated Sourcerer extension vulnerable to this RCE prior to exploitation.

References