Cyber Resilience

CVE-2025-25379

Critical

Published: 28 February 2025

Published
28 February 2025
Modified
15 April 2025
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0085 75.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25379 is a critical-severity CSRF (CWE-352) vulnerability in 07Fly 07Flycms. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-25379 is a cross-site request forgery vulnerability, tracked under CWE-352, that affects 07FLYCMS version 1.3.9. The flaw resides in the del.html component and can be triggered through the id parameter, enabling remote code execution. It carries a CVSS 3.1 base score of 9.6, reflecting network attack vector, low attack complexity, no required privileges, required user interaction, and changed scope with high impact on confidentiality, integrity, and availability.

A remote attacker can exploit the issue by crafting a malicious request that an authenticated user is tricked into submitting, resulting in arbitrary code execution on the affected 07FLYCMS instance without direct authentication to the application.

The two provided references both point to the same GitHub repository path containing a readme file that appears to document the vulnerability but does not include official patch or mitigation guidance.

EPSS for this CVE rose from a low baseline to a recorded peak of 0.0164, indicating emerging exploitation interest after disclosure.

EU & UK References

Vulnerability details

Cross Site Request Forgery vulnerability in 07FLYCMS v.1.3.9 allows a remote attacker to execute arbitrary code via the id parameter of the del.html component.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Why these techniques?

CSRF vuln in public-facing CMS allows RCE via forged link requiring user interaction, directly mapping to T1190 (exploit public-facing app) and T1204.001 (malicious link for user execution).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-25121Shared CWE-352
CVE-2025-24001Shared CWE-352
CVE-2025-25147Shared CWE-352
CVE-2026-34904Shared CWE-352
CVE-2024-26153Shared CWE-352
CVE-2025-28860Shared CWE-352
CVE-2026-45430Shared CWE-352
CVE-2025-23880Shared CWE-352
CVE-2025-59541Shared CWE-352
CVE-2026-23622Shared CWE-352

Affected Assets

07fly
07flycms
1.3.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 requires mechanisms such as anti-CSRF tokens to protect session authenticity, directly preventing forged requests that exploit the del.html id parameter in 07FLYCMS.

prevent

SI-10 mandates validation of information inputs like the id parameter, blocking arbitrary code execution from malicious values tricked via CSRF.

prevent

IA-11 enforces re-authentication for sensitive actions like deletions in del.html, mitigating CSRF by requiring fresh credentials beyond session cookies.

References