CVE-2025-30091
Published: 25 March 2025
Summary
CVE-2025-30091 is a critical-severity Static Code Injection (CWE-96) vulnerability in Moxiemanager (inferred from references). Its CVSS base score is 9.4 (Critical).
Operationally, ranked in the top 19.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Tiny MoxieManager PHP before version 4.0.0 contains a remote code execution vulnerability in its installer command. The flaw stems from CWE-96 and permits unauthenticated insertion of attacker-controlled data via InstallCommand directly into the generated config.php file, with the command remaining reachable even after initial setup completes. The issue carries a CVSS 4.0 score of 9.4 reflecting network-accessible, low-complexity exploitation with high impact across confidentiality, integrity, and availability.
An attacker can supply malicious input to InstallCommand to write and execute arbitrary PHP code on the server. Because the endpoint stays available post-installation and requires no authentication, the attack can be launched remotely by any party able to reach the MoxieManager instance, resulting in full compromise of the affected web application and underlying host.
Public advisories and the product changelog at moxiemanager.com address the issue under identifier SEC-1063 and document the availability of version 4.0.0 as the corrective release. The associated EPSS score remains low, with a current value of 0.0140 and a peak of only 0.0168.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-14812
Vulnerability details
In Tiny MoxieManager PHP before 4.0.0, remote code execution can occur in the installer command. This vulnerability allows unauthenticated attackers to inject and execute arbitrary code. Attacker-controlled data to InstallCommand can be inserted into config.php, and InstallCommand is available after…
more
an installation has completed.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Eliminates the possibility of static code injection into saved executables by making the storage non-modifiable.