Cyber Resilience

CVE-2025-32957

HighPublic PoC

Published: 31 March 2026

Published
31 March 2026
Modified
01 April 2026
KEV Added
Patch
CVSS Score v3.1 8.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.0058 43.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-32957 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Basercms Basercms. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-32957 is an arbitrary code execution vulnerability in baserCMS, an open-source website development framework. In versions prior to 5.2.3, the application's restore function permits users to upload a .zip archive, which is automatically extracted. A PHP file embedded within the archive is then included via require_once without any validation or restriction on the filename, enabling attackers to craft a malicious PHP payload that executes upon inclusion. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N).

Exploitation requires high privileges (PR:H), such as those held by authenticated administrators with access to the restore function, but is otherwise straightforward with network accessibility, low complexity, and no user interaction needed. Successful attacks grant scope expansion (S:C), allowing attackers to achieve high-impact confidentiality and integrity violations through arbitrary code execution on the server, though availability remains unaffected.

The issue has been addressed in baserCMS version 5.2.3, as detailed in the project's security advisories and release notes. Security practitioners should upgrade to this patched version immediately and review access controls on the restore function to limit exposure. Relevant advisories are available at https://basercms.net/security/JVN_20837860, https://github.com/baserproject/basercms/releases/tag/5.2.3, and https://github.com/baserproject/basercms/security/advisories/GHSA-hv78-cwp4-8r7r.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

baserCMS is a website development framework. Prior to version 5.2.3, the application's restore function allows users to upload a .zip file, which is then automatically extracted. A PHP file inside the archive is included using require_once without validating or restricting…

more

the filename. An attacker can craft a malicious PHP file within the zip and achieve arbitrary code execution when it is included. This issue has been patched in version 5.2.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Arbitrary PHP code execution via unrestricted zip upload+extract+include in web app restore function directly maps to public-facing app exploitation and web shell deployment.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-30940Same product: Basercms Basercms
CVE-2026-30877Same product: Basercms Basercms
CVE-2026-27697Same product: Basercms Basercms
CVE-2026-32734Same product: Basercms Basercms
CVE-2026-21861Same product: Basercms Basercms
CVE-2026-30880Same product: Basercms Basercms
CVE-2025-22654Shared CWE-434
CVE-2025-11948Shared CWE-434
CVE-2025-67260Shared CWE-434
CVE-2025-28915Shared CWE-434

Affected Assets

basercms
basercms
≤ 5.2.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely installation of the patch in baserCMS version 5.2.3 that fixes the unrestricted ZIP upload and PHP inclusion flaw.

prevent

Mandates validation of uploaded ZIP files and extracted filenames to block malicious PHP payloads from being included via require_once.

prevent

Limits exposure by enforcing least privilege on the restore function, restricting access to only essential high-privilege administrators.

References