CVE-2025-29306

CriticalPublic PoCRCE

Published: 27 March 2025

Published

27 March 2025

Modified

09 June 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.8671 99.4th percentile

Risk Priority 72 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-29306 is a critical-severity Code Injection (CWE-94) vulnerability in Foxcms Foxcms. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires identification, reporting, and correction of the specific code injection flaw in FoxCMS v1.2.5 to prevent arbitrary code execution.

SI-10 Information Input Validation good match

prevent

Enforces validation of user inputs to the case display page in index.html, comprehensively preventing code injection vulnerabilities like this CVE.

SC-7 Boundary Protection partial match

preventdetect

Implements boundary protection such as web application firewalls to monitor and block remote injection attempts targeting the vulnerable index.html component.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1221 Template Injection Stealth

Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts.

attack.mitre.org →

Why these techniques?

CVE-2025-29306 is a remote code execution vulnerability in FoxCMS via parameter injection on the index.html page (POC uses SSTI syntax ${@print(phpinfo())}), enabling exploitation of a public-facing web application (T1190) and template injection for code execution (T1221).

NVD Description

An issue in FoxCMS v.1.2.5 allows a remote attacker to execute arbitrary code via the case display page in the index.html component.

Deeper analysisAI

CVE-2025-29306 is a critical code injection vulnerability (CWE-94) in FoxCMS version 1.2.5, published on 2025-03-27. It allows a remote attacker to execute arbitrary code through the case display page in the index.html component, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

The vulnerability can be exploited by any unauthenticated remote attacker over the network with low attack complexity and no user interaction required. Successful exploitation enables arbitrary code execution, resulting in high impacts to confidentiality, integrity, and availability, potentially leading to complete system compromise.

For mitigation guidance and patches, refer to the advisory at https://github.com/somatrasss/CVE-2025-29306.