Cyber Resilience

CVE-2025-28090

CriticalPublic PoC

Published: 28 March 2025

Published
28 March 2025
Modified
07 April 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0018 38.9th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-28090 is a critical-severity SSRF (CWE-918) vulnerability in Maccms Maccms. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-28090 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting maccms10 version 2025.1000.4047 in its Collection Custom Interface feature. Published on 2025-03-28, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), reflecting network accessibility, low attack complexity, no required privileges or user interaction, unchanged impact scope, high confidentiality and integrity effects, and no availability impact.

Remote, unauthenticated attackers can exploit this SSRF vulnerability over the network with low complexity and no user interaction. Successful exploitation enables high-level compromise of confidentiality and integrity, such as unauthorized access to internal systems or data via forged server requests.

Advisories providing further details, including potential mitigations, are available at https://www.yuque.com/morysummer/vx41bz/xo5w1euakvtgenex.

EU & UK References

Vulnerability details

maccms10 v2025.1000.4047 is vulnerable to Server-Side Request Forgery (SSRF) in the Collection Custom Interface feature.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SSRF vulnerability in public-facing web app (maccms10 Collection Custom Interface) directly enables remote unauthenticated exploitation for internal resource access, mapping to T1190 Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-28089Same product: Maccms Maccms
CVE-2025-28091Same product: Maccms Maccms
CVE-2026-6514Shared CWE-918
CVE-2026-44116Shared CWE-918
CVE-2026-21887Shared CWE-918
CVE-2026-31910Shared CWE-918
CVE-2026-48153Shared CWE-918
CVE-2026-45298Shared CWE-918
CVE-2026-39362Shared CWE-918
CVE-2026-31989Shared CWE-918

Affected Assets

maccms
maccms
10.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates SSRF by validating and sanitizing user-supplied inputs, such as URLs in the Collection Custom Interface, to prevent forging requests to unauthorized internal resources.

prevent

Enforces flow control policies restricting application-initiated outbound requests to only authorized destinations, blocking SSRF exploitation to internal systems.

preventdetect

Monitors and controls communications at system boundaries to detect and block anomalous outbound requests triggered by SSRF in the vulnerable feature.

References