CVE-2025-55041
Published: 18 March 2026
Summary
CVE-2025-55041 is a high-severity CSRF (CWE-352) vulnerability in Murasoftware Mura Cms. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-23 requires session authenticity mechanisms such as CSRF tokens to prevent attackers from forging requests that exploit authenticated administrator sessions to escalate privileges.
AC-3 enforces approved authorizations for access to system resources, directly addressing the lack of proper authorization checks before processing userId and groupId parameters to modify group memberships.
AC-2 establishes processes for managing accounts and group memberships, preventing unauthorized privilege escalations through controlled modification of user groups.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF vuln in group management directly enables unauthorized group additions for privilege escalation (T1068) via account manipulation (T1098.007).
NVD Description
MuraCMS through 10.1.10 contains a CSRF vulnerability in the Add To Group functionality for user management (cUsers.cfc addToGroup method) that allows attackers to escalate privileges by adding any user to any group without proper authorization checks. The vulnerable function lacks…
more
CSRF token validation and directly processes user-supplied userId and groupId parameters via getUserManager().createUserInGorup(), enabling malicious websites to forge requests that automatically execute when an authenticated administrator visits a crafted page. Adding a user to the Super Admins group (s2 user) is not possible. Successful exploitation results in the attacker gaining privilege escalation both horizontally to other groups and vertically to the admin group. Escalation to the s2 User group is not possible.
Deeper analysisAI
CVE-2025-55041 is a Cross-Site Request Forgery (CSRF) vulnerability, assigned CWE-352 and scored 8.0 under CVSS 3.1 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H), affecting MuraCMS versions through 10.1.10. The flaw exists in the Add To Group functionality of the user management component, specifically the addToGroup method in cUsers.cfc. This method lacks CSRF token validation and proper authorization checks, directly processing attacker-supplied userId and groupId parameters through getUserManager().createUserInGorup() to add any user to any group.
An attacker can exploit this vulnerability by hosting a malicious website or crafted page that forges a request to the vulnerable endpoint. Successful exploitation requires an authenticated user with low privileges, such as an administrator, to visit the attacker's page, triggering the request automatically in their browser. This enables privilege escalation, including horizontal movement to other groups or vertical escalation to the admin group for targeted users, though addition to the Super Admins group (s2 users) is not possible.
Mitigation is addressed in MuraCMS version 10.1.14, with details provided in the release notes at https://docs.murasoftware.com/v10/release-notes/#section-version-1014. Further information is available on the Mura Software website at https://www.murasoftware.com.
Details
- CWE(s)