CVE-2025-32957
Published: 31 March 2026
Summary
CVE-2025-32957 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Basercms Basercms. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely installation of the patch in baserCMS version 5.2.3 that fixes the unrestricted ZIP upload and PHP inclusion flaw.
Mandates validation of uploaded ZIP files and extracted filenames to block malicious PHP payloads from being included via require_once.
Limits exposure by enforcing least privilege on the restore function, restricting access to only essential high-privilege administrators.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary PHP code execution via unrestricted zip upload+extract+include in web app restore function directly maps to public-facing app exploitation and web shell deployment.
NVD Description
baserCMS is a website development framework. Prior to version 5.2.3, the application's restore function allows users to upload a .zip file, which is then automatically extracted. A PHP file inside the archive is included using require_once without validating or restricting…
more
the filename. An attacker can craft a malicious PHP file within the zip and achieve arbitrary code execution when it is included. This issue has been patched in version 5.2.3.
Deeper analysisAI
CVE-2025-32957 is an arbitrary code execution vulnerability in baserCMS, an open-source website development framework. In versions prior to 5.2.3, the application's restore function permits users to upload a .zip archive, which is automatically extracted. A PHP file embedded within the archive is then included via require_once without any validation or restriction on the filename, enabling attackers to craft a malicious PHP payload that executes upon inclusion. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N).
Exploitation requires high privileges (PR:H), such as those held by authenticated administrators with access to the restore function, but is otherwise straightforward with network accessibility, low complexity, and no user interaction needed. Successful attacks grant scope expansion (S:C), allowing attackers to achieve high-impact confidentiality and integrity violations through arbitrary code execution on the server, though availability remains unaffected.
The issue has been addressed in baserCMS version 5.2.3, as detailed in the project's security advisories and release notes. Security practitioners should upgrade to this patched version immediately and review access controls on the restore function to limit exposure. Relevant advisories are available at https://basercms.net/security/JVN_20837860, https://github.com/baserproject/basercms/releases/tag/5.2.3, and https://github.com/baserproject/basercms/security/advisories/GHSA-hv78-cwp4-8r7r.
Details
- CWE(s)