Cyber Resilience

CVE-2025-28089

CriticalPublic PoC

Published: 28 March 2025

Published
28 March 2025
Modified
07 April 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0018 38.9th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-28089 is a critical-severity SSRF (CWE-918) vulnerability in Maccms Maccms. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-28089 is a Server-Side Request Forgery (SSRF) vulnerability, mapped to CWE-918, affecting maccms10 version v2025.1000.4047 in its Scheduled Task function. Published on 2025-03-28, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), highlighting its critical severity due to high impacts on confidentiality and integrity.

Unauthenticated attackers with network access can exploit this vulnerability with low attack complexity and no user interaction. Exploitation via the Scheduled Task function enables remote adversaries to forge requests from the server, potentially leading to unauthorized access to internal resources, data exfiltration, or manipulation consistent with the high confidentiality and integrity impacts.

Advisories and patch details are referenced in the maccms10 release at https://github.com/magicblack/maccms10/releases/tag/v2025.1000.4047 and further documentation at https://www.yuque.com/morysummer/vx41bz/wzer7qxh0vwrf6zq. Security practitioners should review these sources for mitigation steps, such as applying updates to address the SSRF issue.

EU & UK References

Vulnerability details

maccms10 v2025.1000.4047 is vulnerable to Server-Side Request Forgery (SSRF) via the Scheduled Task function.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SSRF in public-facing Scheduled Task function directly enables T1190 for unauthenticated remote initial access, internal resource access, and data exfiltration.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-28090Same product: Maccms Maccms
CVE-2025-28091Same product: Maccms Maccms
CVE-2026-6514Shared CWE-918
CVE-2026-44116Shared CWE-918
CVE-2026-21887Shared CWE-918
CVE-2026-31910Shared CWE-918
CVE-2026-48153Shared CWE-918
CVE-2026-45298Shared CWE-918
CVE-2026-39362Shared CWE-918
CVE-2026-31989Shared CWE-918

Affected Assets

maccms
maccms
10.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the SSRF vulnerability in the Scheduled Task function by identifying, reporting, and correcting the specific flaw as referenced in the maccms10 patch release.

prevent

Prevents SSRF attacks by validating URL or endpoint inputs to the Scheduled Task function against organization-defined allowlists or patterns to block forged requests.

preventdetect

Mitigates SSRF impacts by monitoring and controlling communications at internal boundaries, restricting the server from accessing unauthorized internal resources.

References