Cyber Resilience

CVE-2025-65271

HighRCE

Published: 08 December 2025

Published
08 December 2025
Modified
12 December 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0008 22.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-65271 is a high-severity Code Injection (CWE-94) vulnerability in Azuriom Azuriom. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 22.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-65271 is a client-side template injection (CSTI) vulnerability in the admin dashboard of Azuriom CMS, a content management system. It affects versions prior to 1.2.7 and is classified under CWE-94 (Improper Control of Generation of Code ('Code Injection')). The issue arises when plugins or dashboard components render untrusted user input without proper sanitization, enabling the injection and execution of arbitrary template code. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low attack complexity, and potential for high impact on confidentiality, integrity, and availability.

A low-privilege user can exploit this vulnerability by submitting malicious input through affected plugins or dashboard components. When an administrator views or interacts with this untrusted input in their session, the injected template code executes in the context of the administrator's browser or session. This allows the attacker to achieve privilege escalation, potentially gaining full administrative control over the CMS instance.

Azuriom addressed the vulnerability in version 1.2.7, with the specific fix implemented in commit 0289175547319add814dcb526e8ba034f1ebc3ec available on the project's GitHub repository (https://github.com/Azuriom/Azuriom). Security practitioners should advise upgrading to Azuriom 1.2.7 or later and reviewing custom plugins for similar input rendering issues. Additional details are documented in the CVE advisory repository at https://github.com/1337Skid/CVE-2025-65271.

EU & UK References

Vulnerability details

Client-side template injection (CSTI) in Azuriom CMS admin dashboard allows a low-privilege user to execute arbitrary template code in the context of an administrator's session. This can occur via plugins or dashboard components that render untrusted user input, potentially enabling…

more

privilege escalation to an administrative account. Fixed in Azuriom 1.2.7.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1221 Template Injection Stealth
Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts.
Why these techniques?

The client-side template injection (CSTI) vulnerability enables exploitation of a client-side rendering flaw (T1203, T1221) in the admin dashboard, allowing arbitrary code execution in an administrator's session context, facilitating privilege escalation (T1068).

CVEs Like This One

CVE-2024-23963Shared CWE-94
CVE-2025-33233Shared CWE-94
CVE-2026-0500Shared CWE-94
CVE-2025-21292Shared CWE-94
CVE-2026-26682Shared CWE-94
CVE-2025-27678Shared CWE-94
CVE-2024-56448Shared CWE-94
CVE-2026-21853Shared CWE-94
CVE-2024-7425Shared CWE-94
CVE-2024-57061Shared CWE-94

Affected Assets

azuriom
azuriom
≤ 1.2.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents client-side template injection by validating and sanitizing untrusted user inputs from low-privilege users before they are processed or rendered in admin dashboard templates.

prevent

Mitigates execution of injected template code by filtering malicious content from information outputs transmitted to administrators' browser sessions.

prevent

Addresses the specific vulnerability through timely flaw remediation, such as upgrading to Azuriom 1.2.7 which patches the unsanitized rendering in plugins and dashboard components.

References