Cyber Resilience

CVE-2025-55040

High

Published: 18 March 2026

Published
18 March 2026
Modified
20 March 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0016 5.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-55040 is a high-severity CSRF (CWE-352) vulnerability in Murasoftware Mura Cms. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 5.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-55040 is a cross-site request forgery (CSRF) vulnerability, classified under CWE-352, affecting MuraCMS through version 10.1.10. The issue resides in the cForm.importform function, which lacks CSRF token validation. This allows attackers to forge file upload requests from malicious websites, enabling the upload and installation of malicious form definitions when processed by the application.

The vulnerability can be exploited by unauthenticated attackers (PR:N) targeting authenticated administrators. In an attack scenario, the victim visits a crafted malicious webpage that automatically generates a ZIP file containing attacker-controlled form definitions. If the administrator selects and uploads this file, it installs legitimate-looking forms on the MuraCMS site designed to collect sensitive user information, potentially leading to data theft. Exploitation requires user interaction (UI:R) and has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts.

Mitigation details are provided in the MuraCMS v10 release notes for version 10.1.4 at https://docs.murasoftware.com/v10/release-notes/#section-version-1014, as referenced in the advisory. Additional information is available on the Mura Software website at https://www.murasoftware.com.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The import form CSRF vulnerability in MuraCMS through 10.1.10 allows attackers to upload and install malicious form definitions through a CSRF attack. The vulnerable cForm.importform function lacks CSRF token validation, enabling malicious websites to forge file upload requests that install…

more

attacker-controlled forms when an authenticated administrator visits a crafted webpage. Full exploitation of this vulnerability would require the victim to select a malicious ZIP file containing form definitions, which can be automatically generated by the exploit page and used to create data collection forms that steal sensitive information. Successful exploitation of the import form CSRF vulnerability could result in the installation of malicious data collection forms on the target MuraCMS website that can steal sensitive user information. When an authenticated administrator visits a malicious webpage containing the CSRF exploit and selects the attacker-generated ZIP file, their browser uploads and installs form definitions that create legitimate forms that could be designed with malicious content.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Why these techniques?

CSRF on file upload function directly enables drive-by compromise via malicious webpage that forges authenticated upload of attacker-controlled content.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-55046Same product: Murasoftware Mura Cms
CVE-2025-55041Same product: Murasoftware Mura Cms
CVE-2025-55044Same product: Murasoftware Mura Cms
CVE-2025-55045Same product: Murasoftware Mura Cms
CVE-2025-67829Same product: Murasoftware Mura Cms
CVE-2025-67830Same product: Murasoftware Mura Cms
CVE-2023-48790Shared CWE-352
CVE-2024-51144Shared CWE-352
CVE-2025-30555Shared CWE-352
CVE-2025-59894Shared CWE-352

Affected Assets

murasoftware
mura cms
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 mandates mechanisms like CSRF tokens to protect session authenticity, directly addressing the lack of token validation in the cForm.importform function that enables forged file upload requests.

prevent

SI-2 requires timely flaw remediation, directly mitigating CVE-2025-55040 by applying the patch provided in MuraCMS version 10.1.4.

prevent

SI-10 enforces information input validation at the importform function, preventing forged requests by validating CSRF tokens and ZIP file contents.

References