CVE-2025-57567

CriticalRCE

Published: 17 October 2025

Published

17 October 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0028 51.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-57567 is a critical-severity Code Injection (CWE-94) vulnerability in Pluxml (inferred from references). Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the RCE flaw in minify.php by identifying, reporting, and correcting the improper file overwrite capability in the PluXml theme editor.

AC-6 Least Privilege good match

prevent

Enforces least privilege to restrict even authenticated administrators from overwriting web-executable PHP files like minify.php with arbitrary code.

SI-10 Information Input Validation good match

prevent

Validates inputs to the theme editor in the admin panel to prevent injection of malicious PHP code into the minify.php file.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

RCE vulnerability in public-facing CMS web application exploitable by authenticated administrator to overwrite PHP file and execute arbitrary code.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A remote code execution (RCE) vulnerability exists in the PluXml CMS theme editor, specifically in the minify.php file located under the default theme directory (/themes/defaut/css/minify.php). An authenticated administrator user can overwrite this file with arbitrary PHP code via the admin…

panel, enabling execution of system commands.

Deeper analysisAI

CVE-2025-57567 is a remote code execution (RCE) vulnerability in PluXml CMS, specifically within the theme editor's minify.php file located at /themes/defaut/css/minify.php in the default theme directory. An authenticated administrator can exploit this flaw by overwriting the file with arbitrary PHP code directly through the admin panel, enabling execution of system commands on the server. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) and maps to CWE-94 (Code Injection) and CWE-284 (Improper Access Control).

Exploitation requires an attacker to possess valid administrator credentials (PR:H), after which they can remotely (AV:N) trigger the vulnerability with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation leads to a scope change (S:C), granting high-impact access to confidentiality, integrity, and availability (C:H/I:H/A:H), including arbitrary system command execution as the web server process.

Mitigation details are available in advisories referenced at http://pluxml.com and https://github.com/lukehebe/Vulnerability-Disclosures/blob/main/CVE-2025-57567.pdf, published on 2025-10-17.