Cyber Resilience

CVE-2025-49139

MediumPublic PoC

Published: 09 June 2025

Published
09 June 2025
Modified
30 July 2025
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS Score 0.0027 50.7th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-49139 is a medium-severity Improper Restriction of Rendered UI Layers or Frames (CWE-1021) vulnerability in Psu Haxcms-Nodejs. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Name Resolution Poisoning and SMB Relay (T1557.001); ranked in the top 49.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, in the HAX site editor, users can create a website block to load another site in an iframe. The application allows users…

more

to supply a target URL in the website block. When the HAX site is visited, the client's browser will query the supplied URL. An authenticated attacker can create a HAX site with a website block pointing at an attacker-controlled server running Responder or a similar tool. The attacker can then conduct a phishing attack by convincing another user to visit their malicious HAX site to harvest credentials. Version 11.0.0 contains a patch for the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1557.001 Name Resolution Poisoning and SMB Relay Credential Access
By responding to LLMNR/NBT-NS/mDNS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system.
Why these techniques?

The vulnerability enables authenticated attackers to embed arbitrary iframes in HAX CMS sites pointing to attacker-controlled servers running Responder, facilitating LLMNR/NBT-NS poisoning, NTLM authentication capture, and credential relay attacks.

Affected Assets

psu
haxcms-nodejs
≤ 11.0.0
psu
haxcms-php
≤ 11.0.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References