CVE-2025-55045
Published: 18 March 2026
Summary
CVE-2025-55045 is a high-severity CSRF (CWE-352) vulnerability in Murasoftware Mura Cms. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-23 requires protections for session authenticity, such as CSRF tokens, directly addressing the lack of token validation in the cUsers.updateAddress function.
SI-10 mandates validation of information inputs, including CSRF tokens, to prevent forged requests that manipulate user address information.
SI-2 requires timely flaw remediation, enabling patching of the CSRF vulnerability as detailed in MuraCMS release notes beyond version 10.1.10.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF vuln in public web app directly enables forged requests via malicious link tricking authenticated user (T1190 + T1204.001).
NVD Description
The update address CSRF vulnerability in MuraCMS through 10.1.10 allows attackers to manipulate user address information through CSRF. The vulnerable cUsers.updateAddress function lacks CSRF token validation, enabling malicious websites to forge requests that add, modify, or delete user addresses when…
more
an authenticated administrator visits a crafted webpage. Successful exploitation of the update address CSRF vulnerability results in unauthorized manipulation of user address information within the MuraCMS system, potentially compromising user data integrity and organizational communications. When an authenticated administrator visits a malicious webpage containing the CSRF exploit, their browser automatically submits a hidden form that can add malicious addresses with attacker-controlled email addresses and phone numbers, update existing addresses to redirect communications to attacker-controlled locations or deleted legitimate address records to disrupt business operations. This can lead to misdirected sensitive communications, compromise of user privacy through injection of attacker contact information, disruption of legitimate business correspondence, and potential social engineering attacks via the corrupted address data.
Deeper analysisAI
CVE-2025-55045 is a Cross-Site Request Forgery (CSRF) vulnerability affecting MuraCMS through version 10.1.10, specifically in the cUsers.updateAddress function, which lacks proper CSRF token validation. This flaw, published on 2026-03-18, enables attackers to manipulate authenticated users' address information by forging requests. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N) and is associated with CWE-352 (Cross-Site Request Forgery).
The attack requires an authenticated administrator to visit a malicious webpage controlled by the attacker, which automatically submits a hidden form to the vulnerable endpoint. No special privileges are needed beyond tricking the user into visiting the site (UI:R). Successful exploitation allows arbitrary addition, modification, or deletion of user addresses, including injection of attacker-controlled email addresses and phone numbers or redirection of communications. This compromises data integrity, enables misdirected sensitive communications, disrupts business operations, and facilitates social engineering through corrupted address data.
Mitigation details are available in the MuraCMS v10 release notes, particularly the section on version 10.1.4 at https://docs.murasoftware.com/v10/release-notes/#section-version-1014, with additional resources at https://docs.murasoftware.com/v10/release-notes/ and https://www.murasoftware.com. Security practitioners should review these for patching instructions, as versions beyond 10.1.10 address the issue.
Details
- CWE(s)