Cyber Resilience

CVE-2025-49141

HighPublic PoCRCE

Published: 09 June 2025

Published
09 June 2025
Modified
30 July 2025
KEV Added
Patch
CVSS Score v3.1 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0403 88.8th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-49141 is a high-severity OS Command Injection (CWE-78) vulnerability in Psu Haxcms-Nodejs. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 11.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

HAX CMS PHP, a tool for managing microsites via a PHP backend, is affected by an OS command injection vulnerability (CWE-78) in versions prior to 11.0.3. The flaw resides in the gitImportSite functionality, which takes a URL string from a POST request and performs insufficient validation before the set_remote function passes the input to proc_open for execution.

An authenticated attacker with low-privileged access can supply a crafted URL that evades the filter_var and strpos checks, resulting in arbitrary operating system command execution on the backend server. Command output can then be exfiltrated over HTTP, and the CVSS 8.5 score reflects the high impact on confidentiality, integrity, and availability under a network attack vector with some attack complexity.

The referenced GitHub Security Advisory GHSA-g4cf-pp4x-hqgw and associated commit describe the issue and confirm that version 11.0.3 contains a patch addressing the input validation weakness. The EPSS score has remained flat at 0.0403 with no material increase observed since disclosure.

EU & UK References

Vulnerability details

HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.3, the `gitImportSite` functionality obtains a URL string from a POST request and insufficiently validates user input. The `set_remote` function later passes this…

more

input into `proc_open`, yielding OS command injection. An authenticated attacker can craft a URL string that bypasses the validation checks employed by the `filter_var` and `strpos` functions in order to execute arbitrary OS commands on the backend server. The attacker can exfiltrate command output via an HTTP request. Version 11.0.3 contains a patch for the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2025-49141 is an OS command injection vulnerability in a public-facing PHP web application (HAX CMS), enabling remote code execution (T1190: Exploit Public-Facing Application) via Unix shell commands (T1059.004: Unix Shell) through insufficient input validation in the gitImportSite endpoint.

Affected Assets

psu
haxcms-nodejs
≤ 11.0.3
psu
haxcms-php
≤ 11.0.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References