CVE-2025-44071
Published: 05 May 2025
Summary
CVE-2025-44071 is a critical-severity Code Injection (CWE-94) vulnerability in Seacms Seacms. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
SeaCMS version 13.3 contains a remote code execution vulnerability in the phomebak.php component. The flaw is tracked as CVE-2025-44071, carries a CVSS v3.1 score of 9.8, and is classified under CWE-94 (improper control of generation of code). A crafted request is sufficient to trigger arbitrary code execution on the affected installation.
Unauthenticated attackers with network access can send a malicious request to the vulnerable endpoint and obtain arbitrary command execution. Successful exploitation grants full control over the application, including the ability to read, modify, or delete data and potentially pivot to other systems.
The single public reference is a GitHub repository containing technical details of the issue; no vendor advisory or patch information is provided in the available sources. The associated EPSS score remains flat at 0.0390 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-13407
Vulnerability details
SeaCMS v13.3 was discovered to contain a remote code execution (RCE) vulnerability via the component phomebak.php. This vulnerability allows attackers to execute arbitrary code via a crafted request.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The remote code execution vulnerability in the public-facing SeaCMS web application component phomebak.php enables attackers to exploit public-facing applications for initial access via crafted requests.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Validates inputs used in dynamic code generation to block injected directives.
Directly prevents execution of attacker-supplied code written into data memory regions.