CVE-2025-50567
Published: 19 August 2025
Summary
CVE-2025-50567 is a critical-severity SQL Injection (CWE-89) vulnerability in Saurus CMS Community (inferred from references). Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-50567 is a critical vulnerability in Saurus CMS Community Edition 4.7.1, published on 2025-08-19T14:15:39.700. It stems from a flaw in the custom DB::prepare() function, which uses preg_replace() with the deprecated /e (eval) modifier to interpolate SQL query parameters. This design allows injection of user-controlled SQL statements, potentially enabling arbitrary PHP code execution. The issue maps to CWE-89 (SQL Injection) and CWE-94 (Code Injection), with a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation changes the scope, yielding high impacts on confidentiality, integrity, and availability. By crafting malicious input, attackers can inject SQL that evaluates to PHP code, achieving arbitrary code execution on the affected server.
Mitigation details and advisories are available via vendor sites at http://saurus.com and http://saurused.com, a security research document at https://github.com/rahulhoysala/security-research/blob/main/CVE-2025-50567.md, and researcher information at https://in.linkedin.com/in/rahul-hoysala-221a26341.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-25172
Vulnerability details
Saurus CMS Community Edition 4.7.1 contains a vulnerability in the custom DB::prepare() function, which uses preg_replace() with the deprecated /e (eval) modifier to interpolate SQL query parameters. This leads to injection of user-controlled SQL statements, potentially leading to arbitrary PHP…
more
code execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated RCE via SQLi in public-facing CMS web app maps cleanly to T1190.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires identification, reporting, and correction of the flawed DB::prepare() function using deprecated preg_replace() /e modifier to eliminate the SQL injection vulnerability.
Mandates validation of user-controlled inputs to block malicious SQL statements that could be interpolated and evaluated as PHP code via the vulnerable DB::prepare().
Implements boundary protection mechanisms like web application firewalls to detect and block remote unauthenticated SQL injection attempts exploiting the DB::prepare() flaw.