Cyber Resilience

CVE-2025-48492

HighPublic PoCRCE

Published: 30 May 2025

Published
30 May 2025
Modified
04 June 2025
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0280 86.4th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-48492 is a high-severity Command Injection (CWE-77) vulnerability in Getsimple-Ce Getsimple Cms. Its CVSS base score is 8.6 (High).

Operationally, ranked in the top 13.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

GetSimple CMS versions 3.3.16 through 3.3.21 contain a command-injection flaw (CWE-77) that permits an authenticated user with Edit-component access to write arbitrary PHP code into a component file. The injected code can then be executed by supplying a crafted query string, yielding remote code execution with full impact on confidentiality, integrity, and availability.

An attacker who already possesses a valid account with Edit rights can therefore upload and trigger malicious PHP payloads without further user interaction, resulting in complete compromise of the affected CMS instance.

The public GitHub Security Advisory GHSA-g435-p72m-p582 states that the issue will be corrected in the forthcoming 3.3.22 release.

EPSS remains low and unchanged at 0.0280, indicating no observable increase in exploitation interest after disclosure.

EU & UK References

Vulnerability details

GetSimple CMS is a content management system. In versions starting from 3.3.16 to 3.3.21, an authenticated user with access to the Edit component can inject arbitrary PHP into a component file and execute it via a crafted query string, resulting…

more

in Remote Code Execution (RCE). This issue is set to be patched in version 3.3.22.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

getsimple-ce
getsimple cms
3.3.16 — 3.3.22

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References