CVE-2025-28089
Published: 28 March 2025
Summary
CVE-2025-28089 is a critical-severity SSRF (CWE-918) vulnerability in Maccms Maccms. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-28089 is a Server-Side Request Forgery (SSRF) vulnerability, mapped to CWE-918, affecting maccms10 version v2025.1000.4047 in its Scheduled Task function. Published on 2025-03-28, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), highlighting its critical severity due to high impacts on confidentiality and integrity.
Unauthenticated attackers with network access can exploit this vulnerability with low attack complexity and no user interaction. Exploitation via the Scheduled Task function enables remote adversaries to forge requests from the server, potentially leading to unauthorized access to internal resources, data exfiltration, or manipulation consistent with the high confidentiality and integrity impacts.
Advisories and patch details are referenced in the maccms10 release at https://github.com/magicblack/maccms10/releases/tag/v2025.1000.4047 and further documentation at https://www.yuque.com/morysummer/vx41bz/wzer7qxh0vwrf6zq. Security practitioners should review these sources for mitigation steps, such as applying updates to address the SSRF issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8659
Vulnerability details
maccms10 v2025.1000.4047 is vulnerable to Server-Side Request Forgery (SSRF) via the Scheduled Task function.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing Scheduled Task function directly enables T1190 for unauthenticated remote initial access, internal resource access, and data exfiltration.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the SSRF vulnerability in the Scheduled Task function by identifying, reporting, and correcting the specific flaw as referenced in the maccms10 patch release.
Prevents SSRF attacks by validating URL or endpoint inputs to the Scheduled Task function against organization-defined allowlists or patterns to block forged requests.
Mitigates SSRF impacts by monitoring and controlling communications at internal boundaries, restricting the server from accessing unauthorized internal resources.