CVE-2025-28090
Published: 28 March 2025
Summary
CVE-2025-28090 is a critical-severity SSRF (CWE-918) vulnerability in Maccms Maccms. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-28090 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting maccms10 version 2025.1000.4047 in its Collection Custom Interface feature. Published on 2025-03-28, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), reflecting network accessibility, low attack complexity, no required privileges or user interaction, unchanged impact scope, high confidentiality and integrity effects, and no availability impact.
Remote, unauthenticated attackers can exploit this SSRF vulnerability over the network with low complexity and no user interaction. Successful exploitation enables high-level compromise of confidentiality and integrity, such as unauthorized access to internal systems or data via forged server requests.
Advisories providing further details, including potential mitigations, are available at https://www.yuque.com/morysummer/vx41bz/xo5w1euakvtgenex.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8657
Vulnerability details
maccms10 v2025.1000.4047 is vulnerable to Server-Side Request Forgery (SSRF) in the Collection Custom Interface feature.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF vulnerability in public-facing web app (maccms10 Collection Custom Interface) directly enables remote unauthenticated exploitation for internal resource access, mapping to T1190 Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates SSRF by validating and sanitizing user-supplied inputs, such as URLs in the Collection Custom Interface, to prevent forging requests to unauthorized internal resources.
Enforces flow control policies restricting application-initiated outbound requests to only authorized destinations, blocking SSRF exploitation to internal systems.
Monitors and controls communications at system boundaries to detect and block anomalous outbound requests triggered by SSRF in the vulnerable feature.