Cyber Resilience

CVE-2025-25789

CriticalPublic PoCRCE

Published: 26 February 2025

Published
26 February 2025
Modified
09 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0227 85.0th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25789 is a critical-severity Code Injection (CWE-94) vulnerability in Foxcms Foxcms. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

FoxCMS version 1.2.5 contains a remote code execution vulnerability in the index() method of the Sitemap.php controller file. The flaw is tracked as CVE-2025-25789 and is associated with CWE-94. It received a CVSS 3.1 base score of 9.8, reflecting network attack vector, low complexity, and no requirements for authentication or user interaction.

An unauthenticated attacker with network access can supply crafted input to the affected method and execute arbitrary code on the server, resulting in full compromise of confidentiality, integrity, and availability. The published references consist of the vendor site and a public proof-of-concept repository that demonstrates the issue.

EPSS for the CVE rose from a low baseline to a recorded peak of 0.0411 (current value 0.0227), indicating emerging exploitation interest after disclosure. No vendor advisory or patch information is provided in the available references.

EU & UK References

Vulnerability details

FoxCMS v1.2.5 was discovered to contain a remote code execution (RCE) vulnerability via the index() method at \controller\Sitemap.php.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct unauthenticated RCE in public-facing web app component enables initial access via exploitation of public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-50692Same product: Foxcms Foxcms
CVE-2025-29306Same product: Foxcms Foxcms
CVE-2025-25790Same product: Foxcms Foxcms
CVE-2025-55420Same product: Foxcms Foxcms
CVE-2025-55409Same product: Foxcms Foxcms
CVE-2025-13773Shared CWE-94
CVE-2026-30643Shared CWE-94
CVE-2026-30460Shared CWE-94
CVE-2025-71243Shared CWE-94
CVE-2026-44262Shared CWE-94

Affected Assets

foxcms
foxcms
1.2.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the RCE vulnerability by requiring timely patching or updating of FoxCMS to remediate the flawed index() method in Sitemap.php.

prevent

Enforces validation and sanitization of inputs to the Sitemap controller's index() method, preventing code injection exploits (CWE-94) that lead to unauthenticated RCE.

preventdetect

Deploys boundary protections like web application firewalls to monitor and block remote exploitation attempts targeting the vulnerable Sitemap.php endpoint.

References