Cyber Resilience

CVE-2025-50567

CriticalRCE

Published: 19 August 2025

Published
19 August 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0034 57.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-50567 is a critical-severity SQL Injection (CWE-89) vulnerability in Saurus CMS Community (inferred from references). Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-50567 is a critical vulnerability in Saurus CMS Community Edition 4.7.1, published on 2025-08-19T14:15:39.700. It stems from a flaw in the custom DB::prepare() function, which uses preg_replace() with the deprecated /e (eval) modifier to interpolate SQL query parameters. This design allows injection of user-controlled SQL statements, potentially enabling arbitrary PHP code execution. The issue maps to CWE-89 (SQL Injection) and CWE-94 (Code Injection), with a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation changes the scope, yielding high impacts on confidentiality, integrity, and availability. By crafting malicious input, attackers can inject SQL that evaluates to PHP code, achieving arbitrary code execution on the affected server.

Mitigation details and advisories are available via vendor sites at http://saurus.com and http://saurused.com, a security research document at https://github.com/rahulhoysala/security-research/blob/main/CVE-2025-50567.md, and researcher information at https://in.linkedin.com/in/rahul-hoysala-221a26341.

EU & UK References

Vulnerability details

Saurus CMS Community Edition 4.7.1 contains a vulnerability in the custom DB::prepare() function, which uses preg_replace() with the deprecated /e (eval) modifier to interpolate SQL query parameters. This leads to injection of user-controlled SQL statements, potentially leading to arbitrary PHP…

more

code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct unauthenticated RCE via SQLi in public-facing CMS web app maps cleanly to T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-39334Shared CWE-89
CVE-2024-13488Shared CWE-89
CVE-2026-44262Shared CWE-94
CVE-2026-20002Shared CWE-89
CVE-2025-1446Shared CWE-89
CVE-2025-22699Shared CWE-89
CVE-2025-65037Shared CWE-94
CVE-2026-9170Shared CWE-94
CVE-2026-36232Shared CWE-89
CVE-2024-57707Shared CWE-94

Affected Assets

Saurus
CMS Community
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires identification, reporting, and correction of the flawed DB::prepare() function using deprecated preg_replace() /e modifier to eliminate the SQL injection vulnerability.

prevent

Mandates validation of user-controlled inputs to block malicious SQL statements that could be interpolated and evaluated as PHP code via the vulnerable DB::prepare().

prevent

Implements boundary protection mechanisms like web application firewalls to detect and block remote unauthenticated SQL injection attempts exploiting the DB::prepare() flaw.

References