CVE-2025-49141
Published: 09 June 2025
Summary
CVE-2025-49141 is a high-severity OS Command Injection (CWE-78) vulnerability in Psu Haxcms-Nodejs. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 11.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
HAX CMS PHP, a tool for managing microsites via a PHP backend, is affected by an OS command injection vulnerability (CWE-78) in versions prior to 11.0.3. The flaw resides in the gitImportSite functionality, which takes a URL string from a POST request and performs insufficient validation before the set_remote function passes the input to proc_open for execution.
An authenticated attacker with low-privileged access can supply a crafted URL that evades the filter_var and strpos checks, resulting in arbitrary operating system command execution on the backend server. Command output can then be exfiltrated over HTTP, and the CVSS 8.5 score reflects the high impact on confidentiality, integrity, and availability under a network attack vector with some attack complexity.
The referenced GitHub Security Advisory GHSA-g4cf-pp4x-hqgw and associated commit describe the issue and confirm that version 11.0.3 contains a patch addressing the input validation weakness. The EPSS score has remained flat at 0.0403 with no material increase observed since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-17578
Vulnerability details
HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.3, the `gitImportSite` functionality obtains a URL string from a POST request and insufficiently validates user input. The `set_remote` function later passes this…
more
input into `proc_open`, yielding OS command injection. An authenticated attacker can craft a URL string that bypasses the validation checks employed by the `filter_var` and `strpos` functions in order to execute arbitrary OS commands on the backend server. The attacker can exfiltrate command output via an HTTP request. Version 11.0.3 contains a patch for the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-49141 is an OS command injection vulnerability in a public-facing PHP web application (HAX CMS), enabling remote code execution (T1190: Exploit Public-Facing Application) via Unix shell commands (T1059.004: Unix Shell) through insufficient input validation in the gitImportSite endpoint.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.